xref: /freebsd/contrib/unbound/doc/Changelog (revision b2efd602aea8b3cbc3fb215b9611946d04fceb10)
117 September 2025: Yorgos
2	- Too many quotes for the EDE message debug printout.
3
415 September 2025: Yorgos
5	- Small debug output improvement when attaching an EDE.
6
715 September 2025: Wouter
8	- Fix to print warning for when so-sndbuf setsockopt is not granted.
9
1011 September 2025: Wouter
11	- version set to 1.24.0 for release.
12	- tag for 1.24.0rc1.
13	- Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
14
159 September 2025: Wouter
16	- Fix #1332: CNAME chains are sometimes not followed when RPZs add a
17	  local CNAME rewrite.
18
198 September 2025: Yorgos
20	- Update documentation for using "SET ... EX" in Redis.
21	- Document max buffer sizes for Redis commands.
22	- Update man pages.
23
243 September 2025: Wouter
25	- For #1328: make depend.
26
272 September 2025: Wouter
28	- Fix #1235: Outdated Python2 code in
29	  unbound/pythonmod/examples/log.py.
30	- Fix #1324: Memory leak in 'msgparse.c' in
31	  'parse_edns_options_from_query(...)'.
32	- Fix indentation in tcp-mss option parsing.
33
341 September 2025: Wouter
35	- Fix for #1324: Fix to free edns options scratch in ratelimit case.
36
3729 August 2025: Yorgos
38	- Limit the number of consecutive reads on an HTTP/2 session.
39	  Thanks to Gal Bar Nahum for exposing the possibility of infinite
40	  reads on the session.
41
4228 August 2025: Wouter
43	- Fix setup_listen_sslctx warning for nettle compile.
44
4527 August 2025: Wouter
46	- Fix unbound-control dump_cache for double unlock of lruhash table.
47
4826 August 2025: Wouter
49	- Fix ports workflow to install expat for macos.
50
5122 August 2025: Wouter
52	- For #1318: Fix compile warnings for DoH compile on windows.
53	- Fix sha1 enable environment variable in test code on windows.
54	- Fix #1319: [FR] zone status for Unbound auth-zones.
55	- Fix that the zone acquired timestamp is set after the
56	  zonefile is read.
57
5821 August 2025: Wouter
59	- Fix to check for extraneous command arguments for unbound-control,
60	  when the command takes no arguments but there are arguments present.
61	- Fix #1317: Unbound starts too early. Add
62	  Wants=network-online.target under [Unit] in unbound.service.
63	- Fix for #1317: Fix contrib/unbound.service comment path for
64	  systemd network configuration.
65
6615 August 2025: Wouter
67	- unbound-control cache_lookup +t allows tld and root names. And
68	  subnet cache contents are printed.
69	- Fix cache_lookup subnet printout to wipe zero part of the prefix.
70	- Fix cache_lookup subnet print to not print messages without rrsets
71	  and perform in-depth check on node in the addrtree.
72
7314 August 2025: Wouter
74	- Fix to increase responsiveness of dump_cache.
75	- Fix to decouple file descriptor activity and cache lookups in
76	  dump_cache.
77
7813 August 2025: Wouter
79	- unbound-control cache_lookup <domains> prints the cached rrsets
80	  and messages for those.
81	- Fix to remove debug from cache_lookup.
82	- Fix to unlock cache_lookup message for malformed records.
83
8412 August 2025: Wouter
85	- Fix that unbound-control dump_cache releases the cache locks
86	  every so often, so that the server stays responsive.
87
887 August 2025: Wouter
89	- Fix dname_str for printout of long names. Thanks to Jan Komissar
90	  for the fix.
91	- Fix that edns-subnet failure to create a subquery errors as
92	  servfail, and not formerror.
93	- Fix to whitespace in dname_str.
94
956 August 2025: Wouter
96	- Fix edns subnet, so that the subquery without subnet is stored in
97	  global cache if the querier used 0.0.0.0/0 and the name and address
98	  do not receive subnet treatment. If the name and address are
99	  configured for subnet, it is stored in the subnet cache.
100
1015 August 2025: Wouter
102	- Fix #1309: incorrectly reclaimed tcp handler can cause data
103	  corruption and segfault.
104	- Fix to use assertions for consistency checks in #1309 reclaimed
105	  tcp handlers.
106
1071 August 2025: Wouter
108	- Fix testbound test program to accurately output packets from hex.
109
11028 July 2025: Wouter
111	- Fix redis cachedb module gettimeofday init failure.
112
11324 July 2025: Wouter
114	- Redis checks for server down and throttles reconnects.
115
11617 July 2025: Wouter
117	- Fix to not set rlimits in the unit tests.
118	- Fix #1303: [FR] Disable TLSv1.2.
119	- iana portlist updated.
120
12116 July 2025: Wouter
122	- Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li
123	  from AOSP Lab Nankai University.
124	- Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the
125	  repository continues with the previous fixes, with 1.23.2.
126	- Add unit tests for non-ecs aggregation.
127
12812 July 2025: Yorgos
129	- Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
130	  track the number of signature validation operations.
131	  Adds 'num.valops' to extended statistics.
132	- For #1289: test num.valops in existing stat_values.tdir.
133	- For #1289: add num.valops in the unbound-control man page.
134
13511 July 2025: Wouter
136	- Fix detection of SSL_CTX_set_tmp_ecdh function.
137	- For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
138
1398 July 2025: Wouter
140	- Fix to improve dnstap discovery on Fedora.
141
1423 July 2025: Wouter
143	- Fix #1300: Is 'sock-queue-timeout' a linux only feature.
144	- For #1300: implement sock-queue-timeout for FreeBSD as well.
145	- Fix layout of comm_point_udp_ancil_callback.
146
1472 July 2025: Wouter
148	- Merge #1299: Fix typos.
149	- Generate ltmain.sh and configure again.
150
15125 June 2025: Yorgos
152	- Fix #1247: forward-first: ssl handshake failed on root nameservers.
153	- For #1247, turn off fetch-policy for delegation when looking into
154	  parent side name servers that may not update the addresses and hit
155	  NXNS limits.
156	- For #1247, replay test (added tcp_transport to
157	  outnet_serviced_query).
158
15920 June 2025: Yorgos
160	- Fix #1293: EDE 6 is attached to insecure cached answers when client
161	  sends the CD bit.
162
16319 June 2025: Wouter
164	- Fix #1296: DNS over QUIC depends on a very outdated version of
165	  ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
166	- Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
167	- Fix rrset cache create allocation failure case.
168
16917 June 2025: Yorgos
170	- Fix for consistent use of local zone CNAME alias for configured auth
171	  zones. Now it also applies to downstream configured auth zones.
172
17316 June 2025: Wouter
174	- Fix to check control-interface addresses in unbound-checkconf.
175	- Fix #1295: Windows 32-bit binaries download seems to be missing dll
176	  dependency.
177
17812 June 2025: Wouter
179	- Fix header return value description for skip_pkt_rrs and
180	  parse_edns_from_query_pkt.
181
18211 June 2025: Wouter
183	- Fix bitwise operators in conditional expressions with parentheses.
184	- Fix conditional expressions with parentheses for bitwise and.
185
1865 June 2025: Wouter
187	- Fix unbound-anchor certificate file read for line ends and end of
188	  file.
189	- Fix comment for the dname_remove_label_limit_len function.
190	- iana portlist updated.
191
1923 June 2025: Yorgos
193	- Small manpage corrections for the 'disable-dnssec-lame-check' option.
194
19521 May 2025: Wouter
196	- Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
197	  program.
198
19920 May 2025: Yorgos
200	- Merge #1285:  RST man pages. It introduces restructuredText man pages
201	  to sync the online and source code man page documentation.
202	  The templated man pages (*.in) are still part of the repo but
203	  generated with docutils from their .rst counterpart.
204	  Documentation on how to generate those (mainly for core developers)
205	  is in README.man.
206	- Add more checks about respip in unbound-checkconf.
207	  Also fixes #310: unbound-checkconf not reporting RPZ configuration
208	  error.
209
21019 May 2025: Wouter
211	- Fix for cname chain length with qtype ANY and qname minimisation.
212	  Thanks to Jim Greenwood from Nominet for the report.
213
21415 May 2025: Wouter
215	- Fix config of slab values when there is no config file.
216
21713 May 2025: Yorgos
218	- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
219	  by adding a log_assert() to safeguard future development.
220	- Fix #1282: log-destaddr fail on long ipv6 addresses.
221
22213 May 2025: Wouter
223	- Change default for so-sndbuf to 1m, to mitigate a cross-layer
224	  issue where the UDP socket send buffers are exhausted waiting
225	  for ARP/NDP resolution. Thanks to Reflyable for the report.
226	- Adjusted so-sndbuf default to 4m.
227
22812 May 2025: Yorgos
229	- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
230	  broken auth zones that include unsigned out of zone (above apex)
231	  data. Could lead to hang while trying to prove a wildcard answer.
232
23312 May 2025: Wouter
234	- Fix #1283: Unsafe usage of atoi() while parsing the configuration
235	  file.
236
2379 May 2025: Wouter
238	- Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
239	  in 1.23.0, but worked in 1.22.0.
240
2415 May 2025: Yorgos
242	- Sync unbound and unbound-checkconf log output for unknown modules.
243
24429 April 2025: Wouter
245	- Fix for parallel build of dnstap protoc-c output.
246	- Fix dnstap to use protoc.
247
24829 April 2025: Yorgos
249	- Merge #1276: Auto-configure '-slabs' values.
250
25128 April 2025: Yorgos
252	- Merge #1275: Use macros for the fr_check_changed* functions.
253
25425 April 2025: Wouter
255	- Fix #1272: assertion failure testcode/unitverify.c:202.
256
25716 April 2025: Wouter
258	- Increase default to `num-queries-per-thread: 2048`, when unbound is
259	  compiled with libevent. It makes saturation of the task queue more
260	  resource intensive and less practical. Thanks to Shiming Liu,
261	  Network and Information Security Lab, Tsinghua University for the
262	  report.
263
26411 April 2025: Wouter
265	- Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April
266	  2025. The code repository continues with 1.23.1 in development.
267
26811 April 2025: Yorgos
269	- Merge #1265: Fix WSAPoll.
270
27110 April 2025: Wouter
272	- Fix for print of connection type in log-replies for dot and doh.
273
2749 April 2025: Wouter
275	- Fix to detect if atomic_store links in configure.
276	- Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
277
2788 April 2025: Wouter
279	- Tag for 1.23.0rc1.
280	- Fix fast_reload to print chroot with config file name.
281
2827 April 2025: Yorgos
283	- Merge #902: DNS Error Reporting (RFC 9567). Introduces new
284	  configuration option 'dns-error-reporting' and new statistics for
285	  'num.dns_error_reports'.
286
2874 April 2025: Wouter
288	- Fix mesh_copy_client_info to omit null contents from copy.
289	- Fix comment name in the rpz nsdname test.
290	- Fix nettle compile for warnings and ticket keys.
291	- Fix redis_replica test for unused option defaults and log printout.
292	- Fix test to speed up common.sh script kill_pid.
293	- Fix to update common.sh for speed of kill_pid.
294
2954 April 2025: Yorgos
296	- Merge #1019: Redis read-only replica support.
297	  Introduces new 'redis-replica-*' options for the Redis cache backend.
298
2993 April 2025: Wouter
300	- Fix #1263: Exempt loopback addresses from wait-limit.
301	- Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
302	  to allow two arguments.
303	- Fix ub_event and include dnstap and win_svc headers.
304	- Fix test for stat_values for wait limit defaults for localhost.
305	- Fix parameter unused warning in net_help.c.
306
3072 April 2025: Yorgos
308	- Merge #1262 from markyang92, fix build with
309	  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
310	- For #1262, ifdef is no longer needed.
311
3122 April 2025: Wouter
313	- Fix unbound-control test so it counts the new flush_negative output,
314	  also answers the _ta probe from testns and prints command output
315	  and skip a thread specific test when no threads are available.
316	- Fix that ub_event has the facility to deal with callbacks for
317	  fast reload, doq, windows-stop and dnstap.
318	- Fix fast reload test to check if pid exists before acting on it.
319
3201 April 2025: Wouter
321	- Fix escape more characters when printing an RR type with an unquoted
322	  string.
323	- Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
324
32531 March 2025: Wouter
326	- iana portlist update.
327	- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
328	  It reads changed config in a thread, then only briefly pauses the
329	  service threads, that keep running. DNS service is only interrupted
330	  briefly, less than a second.
331	- Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
332
33327 March 2025: Wouter
334	- Fix unit test dname log printout typecast.
335	- Fix for ci test, expat is installed on the osx image.
336
33726 March 2025: Yorgos
338	- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
339	- For #1255, for ios use an older expat version that does not require
340	  C++11 language features.
341	- For #1255, for ios disable building tests that require C++11.
342	- For #1255, for ios try the latest expat version again.
343
34424 March 2025: Wouter
345	- Fix #1254: `send failed: Socket is not connected` and
346	  `remote address is 0.0.0.0 port 53`.
347
34821 March 2025: Wouter
349	- Fix #1253: Cache entries fail to be removed from Redis cachedb
350	  backend with unbound-control flush* +c.
351	- Fix for #1253: Fix for redis cachedb backend to expect an integer
352	  reply for the EXPIRE command.
353
35420 March 2025: Wouter
355	- Fix print of RR type NSAP-PTR, it is an unquoted string.
356
35718 March 2025: Wouter
358	- Fix #1251: WSAPoll first argument cannot be NULL.
359	- Fix for windows compile create ssl contexts.
360
36117 March 2025: Wouter
362	- Fix representation of types GPOS and RESINFO, add rdf type for
363	  unquoted str.
364
36516 March 2025: Yorgos
366	- Fix 'unbound-control flush_negative' when reporting removed data;
367	  reported by David 'eqvinox' Lamparter.
368
36928 February 2025: Wouter
370	- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
371	  Add --help output description for the SOURCE_DATE_EPOCH variable.
372
37325 February 2025: Wouter
374	- Merge #1243: Do not shadow tm on line 236.
375
37624 February 2025: Yorgos
377	- Fix hash calculation for cachedb to ignore case. Previously, cached
378	  records there were only relevant for same case queries (if not
379	  already in Unbound's internal cache).
380
38119 February 2025: Yorgos
382	- Fix static analysis report about unhandled EOF on error conditions
383	  when reading anchor key files.
384	- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
385	  values.
386
38717 February 2025: Yorgos
388	- Consider reconfigurations when calculating the still_useful_timeout
389	  for servers in the infrastructure cache.
390
39130 January 2025: Wouter
392	- Fix #986: Resolving sas.com with dnssec-validation fails though
393	  signed delegations seem to be (mostly) correct.
394
39529 January 2025: Yorgos
396	- Make the default value of module-config "validator iterator"
397	  regardless of compilation options. --enable-subnet would implicitly
398	  change the value to enable the subnetcache module by default in the
399	  past.
400
40124 January 2025: Yorgos
402	- Merge #1220 from Petr Menšík, Add unbound members group access to
403	  control key.
404
40521 January 2025: Yorgos
406	- Use the same interface listening port discovery code for all needed
407	  protocols.
408	- Port to string only when needed before getaddrinfo().
409	- Do not open unencrypted channels next to encrypted ones on the same
410	  port.
411	- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
412	  set.
413
41421 January 2025: Wouter
415	- Fix compile of interface check code when dnscrypt or quic is
416	  disabled.
417	- Fix encoding of RR type ATMA.
418	- Fix to check length in ATMA string to wire.
419	- Merge #1229: check before use daemon->shm_info.
420
42120 January 2025: Yorgos
422	- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
423	  ALPN.
424	- Create the quic SSL listening context only when needed.
425
42615 January 2025: Yorgos
427	- Merge #1221: Consider auth zones when checking for forwarders.
428
42914 January 2025: Yorgos
430	- Add resolver.arpa and service.arpa to the default locally served
431	  zones.
432
43313 January 2025: Yorgos
434	- Fix #1213: Misleading error message on default access control causing
435	  refuse.
436
43710 January 2025: Yorgos
438	- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
439	  handshake.
440
44131 December 2024: Yorgos
442	- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
443	  with serve-expired that appeared in 1.22.0 and would not allow the
444	  iterator to update the cache with not-yet-validated entries resulting
445	  in increased outgoing traffic.
446
44720 December 2024: Yorgos
448	- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
449	  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
450
45113 December 2024: Yorgos
452	- Merge #1204: ci: set persist-credentials: false for actions/checkout
453	  per zizmor suggestion.
454
4553 December 2024: Yorgos
456	- Merge #1189: Fix the dname_str method to cause conversion errors
457	  when the domain name length is 255.
458	- Merge #1197: dname_str() fixes.
459	- For #1175, the default value of serve-expired-ttl is set to 86400
460	  (1 day) as suggested by RFC8767.
461	- Merge #1198: Fix log-servfail with serve expired and no useful cache
462	  contents.
463	- Safeguard alias loop while looking in the cache for expired answers.
464	- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
465	  drop.
466	- Fix typo in log_servfail.tdir test.
467
46822 November 2024: Yorgos
469	- Fix #1175: serve-expired does not adhere to secure-by-default
470	  principle. The default value of serve-expired-client-timeout
471	  is set to 1800 as suggested by RFC8767.
472	- For #1175, update serve-expired tests.
473
47420 November 2024: Yorgos
475	- Fix comparison to help static analyzer.
476
47719 November 2024: Yorgos
478	- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
479	  auth_zone up/down queries.
480
48115 November 2024: Wouter
482	- Fix #1183: the data being used is released in method
483	  nsec3_hash_test_entry.
484	- Fix for #1183: release nsec3 hashes per test file.
485
4868 November 2024: Yorgos
487	- More descriptive text for 'harden-algo-downgrade'.
488	- Complete fix for max-global-quota to 200.
489
4906 November 2024: Yorgos
491	- Increase the default of max-global-quota to 200 from 128 after
492	  operational feedback. Still keeping the possible amplification
493	  factor (CAMP related issues) in the hundreds.
494
4955 November 2024: Wouter
496	- Fix for the serve expired DNSSEC information fix, it would not allow
497	  current delegation information be updated in cache. The fix allows
498	  current delegation and validation recursion information to be
499	  updated, but as a consequence no longer has certain expired
500	  information around for later dnssec valid expired responses.
501	- Fix to log redis timeout error string on failure.
502
5035 November 2024: Yorgos
504	- Fix SETEX check during Redis (re)initialization.
505
5064 November 2024: Wouter
507	- Fix redis that during a reload it does not fail if the redis
508	  server does not connect or does not respond. It still logs the
509	  errors and if the server is up checks expiration features.
510	- Merge #1167: Makefile.in: fix occasional parallel build failures
511	  around bison rule.
512
5131 November 2024: Yorgos
514	- Merge #1159: Stats for discard-timeout and wait-limit.
515	- Add test case for #1159.
516	- Some clean up for stat_values.test.
517	- Merge #1170 from Melroy van den Berg, Fix chroot manpage
518	  description.
519	- Merge #1157 from Liang Zhu, Fix heap corruption when calling
520	  ub_ctx_delete in Windows.
521
52225 October 2024: Yorgos
523	- Fix #1163: Typos in unbound.conf documentation.
524
52517 October 2024: Wouter
526	- Tag for 1.22.0 release. This did not contain the 1154 fix
527	  from 16 oct. The code repository continues with
528	  version 1.22.1 in development.
529
53016 October 2024: Yorgos
531	- Fix for dnsoverquic and dnstap to use the correct dnstap
532	  environment.
533
53416 October 2024: Wouter
535	- Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
536	- Fix #1154: Tag Incorrectly Applying for Other Interfaces
537	  Using the Same IP. This fix is not for 1.22.0.
538
53914 October 2024: Wouter
540	- Fix to display warning if quic-port is set but dnsoverquic is not
541	  enabled when compiled.
542	- Fix dnsoverquic to extend the number of streams when one is closed.
543
54411 October 2024: Wouter
545	- Fix to disable detection of quic configured ports when quic is
546	  not compiled in.
547	- Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
548	- Fix contrib/aaaa-filter-iterator.patch for change in call
549	  signature for cache_fill_missing.
550
55110 October 2024: Wouter
552	- Fix cookie_file test sporadic fails for time change during
553	  the test.
554	- Fix add reallocarray to alloc stats unit test, and disable
555	  override of strdup in unbound-host, and the result of config
556	  get option is freed properly.
557	- Tag for 1.22.0rc1.
558
5599 October 2024: Wouter
560	- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
561	  `quic-size: 8m` that enable dnsoverquic, and the counters
562	  `num.query.quic` and `mem.quic` in the statistics output.
563	  The feature needs to be enabled by compiling with libngtcp2,
564	  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
565	  pass that with `--with-ssl=path` to compile unbound as well.
566	- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
567	  prefetch ttl for messages after a CNAME with short TTL.
568	- Fix for dnstap compile of doqclient with doq disabled.
569
5708 October 2024: Wouter
571	- Fix #1149: unbound-control-setup hangs sometimes depending on
572	  the openssl version.
573	- Fix #1128: Cannot override tcp-upstream and tls-upstream with
574	  forward-tcp-upstream and forward-tls-upstream.
575
5763 October 2024: Yorgos
577	- Fix CVE-2024-8508, unbounded name compression could lead to denial
578	  of service.
579	- This fix was part of 1.21.1, a security point release on 1.21.0.
580	  The code repository continues with this fix and the version number
581	  1.22.0.
582
58330 September 2024: Wouter
584	- Fix negative cache NSEC3 parameter compares for zero length NSEC3
585	  salt.
586	- Fix unbound dnstap socket test program analyzer warnings about
587	  unused variable assignments and variable initialization.
588
58925 September 2024: Wouter
590	- Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
591	  This adds the option `log-time-iso: yes` that logs in ISO8601
592	  format.
593
59424 September 2024: Yorgos
595	- Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
596	- More clear text for prefetch and minimal-responses in the
597	  unbound.conf man page.
598	- Merge #1143: Fix cache update when serve expired is used. Expired
599	  records are favored over resolution and validation failures when
600	  serve-expired is used.
601
60223 September 2024: Wouter
603	- Fix dns64 with prefetch that the prefetch is stored in cache.
604
60523 September 2024: Yorgos
606	- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
607	  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
608	  already disabled.
609
61017 September 2024: Wouter
611	- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
612	  that can set the timeout separately for commands and the
613	  connection set up to the redis server. If they are not
614	  specified, the redis-timeout value is used.
615
61616 September 2024: Wouter
617	- Merge #1140: Fix spelling mistake in comments.
618
61911 September 2024: Yorgos
620	- Fix and add comments in testdata/val_negcache_ttl.rpl.
621
62210 September 2024: Wouter
623	- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
624	  enabled (RFC9077).
625	- Add unit test for ttl limit for aggressive nsec.
626
6276 September 2024: Yorgos
628	- Fix alloc-size and calloc-transposed-args compiler warnings.
629	- Fix comment to not trigger doxygen unknown command.
630
6315 September 2024: Wouter
632	- Fix config file read for dnstap-sample-rate.
633
6342 September 2024: Wouter
635	- Merge #1135: Add new IANA trust anchor.
636
63730 August 2024: Wouter
638	- Merge #1132: b.root renumbering.
639	- Fix for #1132, adjusted unit test for change in the test file.
640	- Fix for #1132, comment about adjusted copy of reference check.
641
64229 August 2024: Wouter
643	- Unit test for auth zone transfer TLS, and TLS failure.
644	- Fix to print port number in logs for auth zone transfer activities.
645
64628 August 2024: Wouter
647	- Fix that when rpz is applied the message does not get picked up by
648	  the validator. That stops validation failures for the message.
649	- Fix that stub-zone and forward-zone clauses do not exhaust memory
650	  for long content.
651
65227 August 2024: Wouter
653	- Fix #1130: Loads of logs: "validation failure: key for validation
654	  <domain>. is marked as invalid because of a previous" for
655	  non-DNSSEC signed zone.
656
65723 August 2024: Wouter
658	- Merge patch to fix for glue that is outside of zone, with
659	  `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
660	  Enabling this option protects the Unbound resolver against bad
661	  glue, that is unverified out of zone glue, by resolving them.
662	  It uses the records as last resort if there is no other working
663	  glue.
664	- Fix #1127: error: "memory exhausted" when defining more than 9994
665	  local-zones.
666	- Fix documentation for cache_fill_missing function.
667
66821 August 2024: Wouter
669	- Add cross platform freebsd, openbsd and netbsd to github ci.
670	- Fix for char signedness warnings on NetBSD.
671
67220 August 2024: Wouter
673	- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
674	  configuration options.
675
67619 August 2024: Wouter
677	- Fix #1126: unbound-control-setup hangs while testing for openssl
678	  presence starting from version 1.21.0.
679
6809 August 2024: Wouter
681	- Fix spelling for the cache-min-negative-ttl entry in the
682	  example.conf.
683	- Tag for release 1.21.0, the repository continues with 1.21.1
684	  in development.
685
6868 August 2024: Wouter
687	- Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
688	  Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
689	- Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
690	  Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
691	  University and Reichman University).
692	- Set version number to 1.21.0 for release. This has tag 1.21.0rc1.
693	- Fix that for windows the module startup is called and sets up
694	  the module-config.
695
6962 August 2024: Wouter
697	- Fix that alloc stats has strdup checks, it stops debuggers from
698	  complaining about mismatch at free time.
699	- Fix testbound for alloc stats strdup in util/alloc.c.
700	- Merge #1090: Cookie secret file. Adds
701	  `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
702	  cookie secrets for EDNS COOKIE secret rollover. The remote control
703	  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
704	  commands can be used for rollover, the command print_cookie_secrets
705	  shows the values in use.
706	- Fix that alloc stats for forwards and hints are printed, and when
707	  alloc stats is enabled, the unit test for unbound control waits for
708	  reloads to complete.
709
7101 August 2024: Wouter
711	- Fix dnstap test program, cleans up to have clean memory on exit,
712	  for tap_data_free, does not delete NULL items. Also it does not try
713	  to free the tail, specifically in the free of the list since that
714	  picked up the next item in the list for its loop causing invalid
715	  free. Added internal unit test to unbound-dnstap-socket for that.
716	- Fix that the worker mem report with alloc stats does not attempt
717	  to print memory use of forwards and hints if they have been
718	  deleted already.
719
72031 July 2024: Wouter
721	- Fix for #1114: Fix that cache fill for forward-host names is
722	  performed, so that with nonzero target-fetch-policy it fetches
723	  forwarder addresses and uses them from cache. Also updated that
724	  delegation point cache fill routines use CDflag for AAAA message
725	  lookups, so that its negative lookup stops a recursion since the
726	  cache uses the bit for disambiguation for dns64 but the recursion
727	  uses CDflag for the AAAA target lookups, so the check correctly
728	  stops a useless recursion by its cache lookup.
729
73030 July 2024: Wouter
731	- Fix to document parameters of auth_zone_verify_zonemd_with_key.
732
73325 July 2024: Wouter
734	- Add root key 38696 from 2024 for DNSSEC validation. It is added
735	  to the default root keys in unbound-anchor. The content can be
736	  inspected with `unbound-anchor -l`.
737
73823 July 2024: Yorgos
739	- Fix #1106: ratelimit-below-domain logs the wrong FROM address.
740	- Cleanup ede.tdir test.
741	- For #935 and #1104, clarify RPZ order and semantics.
742
74323 July 2024: Wouter
744	- Merge #1110: Make fallthrough explicit for libworker.c.
745	- For #1110: Test for fallthrough attribute in configure and add
746	  fallthrough attribute annotations.
747	- Fix compile when the compiler does not support the noreturn
748	  attribute.
749	- Fix to have empty definition when not supported for weak attribute.
750	- Fix uninitialized variable warning in create_tcp_accept_sock.
751	- Fix link of dnstap without openssl.
752	- Fix link of unbound-dnstap-socket without openssl.
753
75419 July 2024: Wouter
755	- Add dnstap-sample-rate that logs only 1/N messages, for high volume
756	  server environments. Thanks Dan Luther.
757	- Fix dnstap wakeup, a running wakeup timer is left to expire and not
758	  increased, a timer is started when the dtio thread is sleeping,
759	  the timer set disabled when the dtio thread goes to sleep, and
760	  after sleep the thread checks to see if there are messages to log
761	  immediately.
762
76316 July 2024: Wouter
764	- For #1103: Fix to drop mesh state reference for the http2 stream
765	  associated with the reply, not the currently active stream. And
766	  it does not remove it twice on a mesh_send_reply call. The reply
767	  h2_stream is NULL when not in use, for more initialisation.
768
76915 July 2024: Wouter
770	- For #1103: fix to also drop mesh state reference when the discard
771	  limit is reached, when there is an error making a new recursion
772	  state and when the connection is dropped with is_drop.
773
77412 July 2024: Yorgos
775	- Add RPZ tag tests in acl_interface.tdir.
776	- For #1102: clearer text for using interface-* options for the
777	  loopback interface.
778
77912 July 2024: Wouter
780	- Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
781	- For #1103: fix to also drop mesh state reference when a h2 reply is
782	  dropped.
783
78410 July 2024: Wouter
785	- For #773: In contrib/unbound.service.in set unbound to start after
786	  network-online.target. Also for contrib/unbound_portable.service.in.
787
7889 July 2024: Yorgos
789	- Update list of known EDE codes.
790
7918 July 2024: Wouter
792	- Fix that validation reason failure that uses string print uses
793	  separate buffer that is passed, from the scratch validation buffer.
794	- Fixup algo_needs_reason string buffer length.
795	- Fix shadowed error string variable in validator dnskey handling.
796
7975 July 2024: Yorgos
798	- Don't check for message TTL changes if the RRsets remain the same.
799
8005 July 2024: Wouter
801	- Fix for neater printout for error for missing DS response.
802	- Fix neater printout.
803	- Fix #1099: Unbound core dump on SIGSEGV.
804	- Fix for #1099: Fix to check for deleted RRset when the contents
805	  is updated and fetched after it is stored, and also check for a
806	  changed RRset.
807
8084 July 2024: Wouter
809	- Fix to print details about the failure to lookup a DNSKEY record
810	  when validation fails due to the missing DNSKEY. Also for key prime
811	  and DS lookups.
812
8133 July 2024: Yorgos
814	- Fix for repeated use of a DNAME record: first overallocate and then
815	  move the exact size of the init value to avoid false positive heap
816	  overflow reads from address sanitizers.
817
8183 July 2024: Wouter
819	- Fix #144: Port ipset to BSD pf tables.
820	- Add unit test skip files and bison and flex output to gitignore.
821	- Fix to use modstack_init in zonemd unit test.
822	- Fix to remove unneeded linebreak in fptr_wlist.c.
823	- Fix compile warnings in fptr_wlist.c.
824
8252 July 2024: Wouter
826	- Fix to remove unused include from the readzone test program.
827	- Fix unused variable warning in do_cache_remove.
828	- Fix compile warning in worker pthread id printout.
829
83017 June 2024: Wouter
831	- Fix ip-ratelimit-cookie setting, it was not applied.
832
83326 June 2024: Yorgos
834	- Explicitly set the RD bit for the mesh query flags when prefetching.
835	  These queries have no waiting client but they need to be treated as
836	  recursive.
837
83821 June 2024: Yorgos
839	- Fix pkg-config availability check in dnstap/dnstap.m4 and
840	  systemd.m4.
841
84219 June 2024: Yorgos
843	- Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by
844	  adding helpful text for the Python interpreter version and allowing
845	  the default pkg-config unavailability error message to be shown.
846
84717 June 2024: Wouter
848	- Fix #1091: Build fails with OpenSSL >= 3.0 built with
849	  OPENSSL_NO_DEPRECATED.
850
8517 June 2024: Wouter
852	- Add unit test for validation of repeated use of a DNAME record.
853
8546 June 2024: Wouter
855	- Fix memory leak in setup of dsa sig.
856	- Fix typos for 'the the' in text.
857	- Fix validation for repeated use of a DNAME record.
858
8594 June 2024: Yorgos
860	- Merge #1080: AddressSanitizer detection in tdir tests and memory leak
861	  fixes.
862	- Fix memory leak when reload_keep_cache is used and num-threads
863	  changes.
864	- Fix memory leak on exit for unbound-dnstap-socket; creates false
865	  negatives during testing.
866
8673 June 2024: Wouter
868	- Fix to squelch connection reset by peer errors from log. And fix
869	  that the tcp read errors are labeled as initial for the first calls.
870
87130 May 2024: Wouter
872	- Fix #1079: tags from tagged rpz zones are no longer honored after
873	  upgrade from 1.19.3 to 1.20.0.
874	- Fix for #1079: fix RPZ taglist in iterator callback that no client
875	  info is like no taglist intersection.
876
87729 May 2024: Wouter
878	- Merge #1078: Only check old pid if no username.
879
88027 May 2024: Wouter
881	- Fix to enable that SERVFAIL is cached, for a short period, for more
882	  cases. In the cases where limits are exceeded.
883	- Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
884
88527 May 2024: Yorgos
886	- Fix unused variable warning on compilation with no thread support.
887	- unbound-control-setup: check openssl availability before doing
888	  anything, patch from Michael Tokarev.
889	- Update patch to remove 'command' shell builtin and update error
890	  text.
891
89224 May 2024: Wouter
893	- Fix #1064: Unbound 1.20 Cachedb broken?
894
89524 May 2024: Yorgos
896	- Fix #1059: Intermittent DNS blocking failure with local-zone and
897	  always_nxdomain. Addition of local_zones dynamically via
898	  unbound-control was not finding the zone's parent correctly.
899
90021 May 2024: Wouter
901	- Merge #1073: fix null pointer dereference issue in function
902	  ub_ctx_set_fwd.
903	- Fix to print a parse error when config is read with no name for
904	  a forward-zone, stub-zone or view.
905	- Fix for parse end of forward-zone, stub-zone and view.
906	- Fix for #1064: Fix that cachedb expired messages are considered
907	  insecure, and thus can be served to clients when dnssec is enabled.
908
90917 May 2024: Yorgos
910	- Merge #1069: Fix unbound-control stdin commands for multi-process
911	  Unbounds.
912	- Fix unbound-control commands that read stdin in multi-process
913	  operation (local_zones_remove, local_zones, local_datas_remove,
914	  local_datas, view_local_datas_remove, view_local_datas). They will
915	  be properly distributed to all processes. dump_cache and load_cache
916	  are no longer supported in multi-process operation.
917	- Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir
918	  now checks both single and multi process/thread operation.
919
92016 May 2024: Yorgos
921	- Merge #1070: Fix rtt assignment for low values of
922	  infra-cache-max-rtt.
923
92416 May 2024: Wouter
925	- Fix #1071: [FR] Clear both in-memory and cachedb module cache with
926	  `unbound-control flush*` commands.
927
92815 May 2024: Yorgos
929	- Add missing common functions to tdir tests.
930
93110 May 2024: Wouter
932	- Fix when the mesh jostle is exceeded that nameserver targets are
933	  marked as resolved, so that the lookup is not stuck on the
934	  requestlist.
935
9368 May 2024: Wouter
937	- Fix to squelch udp connect errors in the log at low verbosity about
938	  invalid argument for IPv6 link local addresses.
939
9407 May 2024: Wouter
941	- Merge #1062: Fix potential overflow bug while parsing port in
942	  function cfg_mark_ports.
943	- Fix for #1062: declaration before statement, avoid print of null,
944	  and redundant check for array size.
945
9461 May 2024: Wouter
947	- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
948	  from the Network and Information Security Lab of Tsinghua University
949	  for reporting it.
950	- Set version number to 1.20.0 for release. This became the release
951	  on 8 may 2024, the repository continues with version 1.20.1.
952
95329 April 2024: Yorgos
954	- Cleanup unnecessary strdup calls for EDE strings.
955
95629 April 2024: Wouter
957	- Fix doxygen comment for errinf_to_str_bogus.
958
95926 April 2024: Wouter
960	- Fix cachedb with serve-expired-client-timeout disabled. The edns
961	  subnet module deletes global cache and cachedb cache when it
962	  stores a result, and serve-expired is enabled, so that the global
963	  reply, that is older than the ecs reply, does not return after
964	  the ecs reply expires.
965	- Add unit tests for cachedb and subnet cache expired data.
966	- Man page entry for unbound-checkconf -q.
967
96826 April 2024: Yorgos
969	- Fix #876: [FR] can unbound-checkconf be silenced when configuration
970	  is valid?
971
97225 April 2024: Wouter
973	- Fix configure flto check error, by finding grep for it.
974	- Merge #1041: Stub and Forward unshare. This has one structure
975	  for them and fixes #1038: fatal error: Could not initialize
976	  thread / error: reading root hints.
977	- Fix to disable fragmentation on systems with IP_DONTFRAG,
978	  with a nonzero value for the socket option argument.
979	- Fix doc unit test for out of directory build.
980
98124 April 2024: Wouter
982	- Fix ci workflow for macos for moved install locations.
983
98423 April 2024: Yorgos
985	- Merge #1053: Remove child delegations from cache when grandchild
986	  delegations are returned from parent.
987
98822 April 2024: Wouter
989	- Add checklock feature verbose_locking to trace locks and unlocks.
990	- Fix edns subnet to sort rrset references when storing messages
991	  in the cache. This fixes a race condition in the rrset locks.
992
99315 April 2024: Wouter
994	- Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
995	- Fix configure, autoconf for #1048.
996
99715 April 2024: Yorgos
998	- Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since
999	  Python 3.8
1000
100112 April 2024: Wouter
1002	- Fix cachedb for serve-expired with serve-expired-client-timeout.
1003	- Fixup unit test for cachedb server expired client timeout with
1004	  a check if response if from upstream or from cachedb.
1005	- Fixup cachedb to not refetch when serve-expired-client-timeout is
1006	  used.
1007
100810 April 2024: Wouter
1009	- Implement cachedb-check-when-serve-expired: yes option, default
1010	  is enabled. When serve expired is enabled with cachedb, it first
1011	  checks cachedb before serving the expired response.
1012	- Fixup compile without cachedb.
1013	- Add test for cachedb serve expired.
1014	- Extended test for cachedb serve expired.
1015	- Fix makefile dependencies for fake_event.c.
1016	- Fix cachedb for serve-expired with serve-expired-reply-ttl.
1017	- Fix to not reply serve expired unless enabled for cachedb.
1018
10199 April 2024: Yorgos
1020	- Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates
1021	  config.guess(2024-01-01) and config.sub(2024-01-01), verified
1022	  with upstream.
1023
10248 April 2024: Yorgos
1025	- Fix #595: unbound-anchor cannot deal with full disk; it will now
1026	  first write out to a temp file before replacing the original one,
1027	  like Unbound already does for auto-trust-anchor-file.
1028
10295 April 2024: Wouter
1030	- Fix comment syntax for view function views_find_view.
1031
10325 April 2024: Yorgos
1033	- Merge #1027: Introduce 'cache-min-negative-ttl' option.
1034
10353 April 2024: Wouter
1036	- Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
1037	  of file util/config_file.c.
1038	- For #1040: adjust error text and disallow negative ports in other
1039	  parts of cfg_mark_ports.
1040
10413 April 2024: Yorgos
1042	- Fix #1035: Potential Bug while parsing port from the "stub-host"
1043	  string; also affected forward-zones and remote-control host
1044	  directives.
1045	- Fix #369: dnstap showing extra responses; for client responses
1046	  right from the cache when replying with expired data or
1047	  prefetching.
1048
104928 March 2024: Wouter
1050	- Fix #1034: DoT forward-zone via unbound-control.
1051	- Fix for crypto related failures to have a better error string.
1052
105327 March 2024: Wouter
1054	- Fix name of unit test for subnet cache response.
1055	- Fix #1032: The size of subnet_msg_cache calculation mistake cause
1056	  memory usage increased beyond expectations.
1057	- Fix for #1032, add safeguard to make table space positive.
1058	- Fix comment in lruhash space function.
1059	- Fix to add unit test for lruhash space that exercises the routines.
1060	- Fix that when the server truncates the pidfile, it does not follow
1061	  symbolic links.
1062	- Fix that the server does not chown the pidfile.
1063
106425 March 2024: Yorgos
1065	- Merge #831 from Pierre4012: Improve Windows NSIS installer
1066	  script (setup.nsi).
1067	- For #831: Format text, use exclamation icon and explicit label
1068	  names.
1069
107019 March 2024: Wouter
1071	- Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that
1072	  clientip and nsip can give a CNAME.
1073	- Fix localdata and rpz localdata to match CNAME only if no direct
1074	  type match is available.
1075
107618 March 2024: Wouter
1077	- Fix that rpz CNAME content is limited to the max number of cnames.
1078	- Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets
1079	  the reply query_info values, that is better for debug logging.
1080	- Fix rpz that copies the cname override completely to the temp
1081	  region, so there are no references to the rpz region.
1082	- Add rpz unit test for nsip action override.
1083	- Fix rpz for qtype CNAME after nameserver trigger.
1084
108515 March 2024: Yorgos
1086	- Merge #1030: Persist the openssl and expat directories for repeated
1087	  Windows builds.
1088
108915 March 2024: Wouter
1090	- Fix that addrinfo is not kept around but copied and freed, so that
1091	  log-destaddr uses a copy of the information, much like NSD does.
1092
109313 March 2024: Wouter
1094	- Fix #1029: rpz trigger clientip and action rpz-passthru not working
1095	  as expected.
1096	- Fix rpz that the rpz override is taken in case of clientip triggers.
1097	  Fix that the clientip passthru action is logged. Fix that the
1098	  clientip localdata action is logged. Fix rpz override action cname
1099	  for the clientip trigger.
1100	- Fix to unify codepath for local alias for rpz cname action override.
1101	- Fix rpz for cname override action after nsdname and nsip triggers.
1102
110312 March 2024: Yorgos
1104	- Merge #1028: Clearer documentation for tcp-idle-timeout and
1105	  edns-tcp-keepalive-timeout.
1106
110711 March 2024: Wouter
1108	- Fix #1021 Inconsistent Behavior with Changing rpz-cname-override
1109	  and doing a unbound-control reload.
1110
11118 March 2024: Wouter
1112	- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
1113	  are long enough for newer OpenSSL versions. This fix is included
1114	  in 1.19.3rc2.
1115	- Fix TTL of synthesized CNAME when a DNAME is used from cache. This
1116	  fix is included in 1.19.3rc2.
1117	- Remove unused portion from iter_dname_ttl unit test.
1118	- Fix validator classification of qtype DNAME for positive and
1119	  redirection answers, and fix validator signature routine for dealing
1120	  with the synthesized CNAME for a DNAME without previously
1121	  encountering it and also for when the qtype is DNAME.
1122	- Fix qname minimisation for reply with a DNAME for qtype CNAME that
1123	  answers it.
1124	- Fix doc test so it ignores but outputs unsupported doxygen options.
1125	- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
1126	  like unbound-control-setup.sh has. This fix is included in 1.19.3rc2.
1127
11288 March 2024: Yorgos
1129	- Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
1130	  deprecation warnings and updates with newer defaults.
1131
11327 March 2024: Wouter
1133	- Version set to 1.19.3 for release. After 1.19.2 point release with
1134	  security fix for CVE-2024-1931, Denial of service when trimming
1135	  EDE text on positive replies. The code repo includes the fix and
1136	  is for version 1.19.3. The code repo continues for version 1.19.4,
1137	  but 1.19.3 includes the fixes in 1.19.3rc2 as well.
1138
11395 March 2024: Wouter
1140	- Fix for #1022: Fix ede prohibited in access control refused answers.
1141
11424 March 2024: Wouter
1143	- Fix edns subnet replies for scope zero answers to not get stored
1144	  in the global cache, and in cachedb, when the upstream replies
1145	  without an EDNS record.
1146
114728 February 2024: Wouter
1148	- Move github workflows to use checkoutv4.
1149
115023 February 2024: Yorgos
1151	- Document the suspend argument for process_ds_response().
1152
115322 February 2024: Wouter
1154	- Fix trim of EDE text from large udp responses from spinning cpu.
1155
115620 February 2024: Yorgos
1157	- Merge #1010: Mention REFUSED has the TC bit set with unmatched
1158	  allow_cookie acl in the manpage. It also fixes the code to match the
1159	  documentation about clients with a valid cookie that bypass the
1160	  ratelimit regardless of the allow_cookie acl.
1161
116213 February 2024: Wouter
1163	- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
1164	  to exhaust CPU resources and stall DNS resolvers.
1165	- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
1166	- These fixes are part of the 1.19.1 release, that is a security
1167	  point release on 1.19.0, the code repository continues with these
1168	  fixes, with version number 1.19.2.
1169
11708 February 2024: Wouter
1171	- Fix documentation for access-control in the unbound.conf man page.
1172
11737 February 2024: Yorgos
1174	- Fix #1006: Can't find protobuf-c package since #999.
1175
117630 January 2024: Wouter
1177	- Merge #999: Search for protobuf-c with pkg-config.
1178
117923 January 2024: Yorgos
1180	- Update message TTL when using cached RRSETs. It could result in
1181	  non-expired messages with expired RRSETs (non-usable messages by
1182	  Unbound).
1183
118422 January 2024: Yorgos
1185	- Update error printout for duplicate trust anchors to include the
1186	  trust anchor name (relates to #920).
1187
118822 January 2024: Wouter
1189	- Fix for #997: Print details for SSL certificate failure.
1190
119117 January 2024: Wouter
1192	- Update workflow for ports to use newer openssl on windows compile.
1193	- Fix warning for windres on resource files due to redefinition.
1194
119516 January 2024: Wouter
1196	- Fix to link with libssp for libcrypto and getaddrinfo check for
1197	  only header. Also update crosscompile to remove ssp for 32bit.
1198	- Merge #993: Update b.root-servers.net also in example config file.
1199
120015 January 2024: Wouter
1201	- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
1202
12039 January 2024: Wouter
1204	- Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
1205
12065 January 2024: Wouter
1207	- Merge #987: skip edns frag retry if advertised udp payload size is
1208	  not smaller.
1209	- Fix unit test for #987 change in udp1xxx retry packet send.
1210
12114 January 2024: Wouter
1212	- Remove unneeded newlines and improve indentation in remote control
1213	  code.
1214
12153 January 2024: Wouter
1216	- Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
1217	  for non-HTTP/2 DoH clients.
1218	- Merge #985: Add DoH and DoT to dnstap message.
1219	- Fix #983: Sha1 runtime insecure change was incomplete.
1220
122122 December 2023: Yorgos
1222	- Update example.conf with cookie options.
1223
12248 December 2023: Yorgos
1225	- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
1226	  per RFC 6672.
1227
12288 December 2023: Wouter
1229	- Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
1230	  now that the root has a valid ZONEMD.
1231
12327 December 2023: Wouter
1233	- Fix #974: doc: default number of outgoing ports without libevent.
1234	- Merge #975: Fixed some syntax errors in rpl files.
1235
12366 December 2023: Wouter
1237	- Fix to sync the tests script file common.sh.
1238	- iana portlist update.
1239	- Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
1240	- Update test script file common.sh.
1241	- Fix tests to use new common.sh functions, wait_logfile and
1242	  kill_from_pidfile.
1243
12445 December 2023: Wouter
1245	- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
1246	- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
1247	- Fix dnstap that assertion failed on logging other than UDP and TCP
1248	  traffic. It lists it as TCP traffic.
1249
125027 November 2023: Yorgos
1251	- Merge #968: Replace the obsolescent fgrep with grep -F in tests.
1252
125327 November 2023: Wouter
1254	- Fix #964: config.h.in~ backup file in release tar balls.
1255
125624 November 2023: Yorgos
1257	- Use 127.0.0.1 explicitly in tests to avoid delays and errors on
1258	  newer systems.
1259
12609 November 2023: Wouter
1261	- Fix unit test parse of origin syntax.
1262
12632 November 2023: Wouter
1264	- Set version number to 1.19.0.
1265	- Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023.
1266	  The repository continues with 1.19.1.
1267
12681 November 2023: George
1269	- Mention flex and bison in README.md when building from repository
1270	  source.
1271
12721 November 2023: Wouter
1273	- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
1274	- Fix SSL compile failure for other missing definitions in
1275	  log_crypto_err_io_code_arg.
1276	- Fix compilation without openssl, remove unused function warning.
1277
127831 October 2023: George
1279	- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
1280	  suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
1281
128230 October 2023: George
1283	- Merge #930 from Stuart Henderson: add void to
1284	  log_ident_revert_to_default declaration.
1285
128630 October 2023: Wouter
1287	- autoconf.
1288
128924 October 2023: George
1290	- Clearer configure text for missing protobuf-c development libraries.
1291
129220 October 2023: Wouter
1293	- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
1294	  used to stop cachedb from writing messages to the backend storage.
1295	  It reads messages when data is available from the backend. The
1296	  default is no.
1297
129819 October 2023: Wouter
1299	- Fix to print detailed errors when an SSL IO routine fails via
1300	  SSL_get_error.
1301
130218 October 2023: George
1303	- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
1304	  AAAA when no A record exists for synthesis, and minor DNS64 code
1305	  refactoring for better readability.
1306	- Fixes for the DNS64 patches.
1307	- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
1308	- Merge #955 from buevsan: fix ipset wrong behavior.
1309	- Update testdata/ipset.tdir test for ipset fix.
1310
131117 October 2023: Wouter
1312	- Fix #954: Inconsistent RPZ handling for A record returned along with
1313	  CNAME.
1314
131516 October 2023: George
1316	- Expose the script filename in the Python module environment 'mod_env'
1317	  instead of the config_file structure which includes the linked list
1318	  of scripts in a multi Python module setup; fixes #79.
1319	- Expose the configured listening and outgoing interfaces, if any, as
1320	  a list of strings in the Python 'config_file' class instead of the
1321	  current Swig object proxy; fixes #79.
1322	- For multi Python module setups, clean previously parsed module
1323	  functions in __main__'s dictionary, if any, so that only current
1324	  module functions are registered.
1325
132613 October 2023: George
1327	- Better fix for infinite loop when reading multiple lines of input on
1328	  a broken remote control socket, by treating a zero byte line the
1329	  same as transmission end. Addresses #947 and #948.
1330
133112 October 2023: Wouter
1332	- Merge #944: Disable EDNS DO.
1333	  Disable the EDNS DO flag in upstream requests. This can be helpful
1334	  for devices that cannot handle DNSSEC information. But it should not
1335	  be enabled otherwise, because that would stop DNSSEC validation. The
1336	  DNSSEC validation would not work for Unbound itself, and also not
1337	  for downstream users. Default is no. The option
1338	  is disable-edns-do: no
1339
134011 October 2023: George
1341	- Fix #850: [FR] Ability to use specific database in Redis, with new
1342	  redis-logical-db configuration option.
1343
134411 October 2023: Wouter
1345	- Fix #949: "could not create control compt".
1346	- Fix that cachedb does not warn when serve-expired is disabled about
1347	  use of serve-expired-reply-ttl and serve-expired-client-timeout.
1348	- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
1349
135010 October 2023: George
1351	- Fix infinite loop when reading multiple lines of input on a broken
1352	  remote control socket. Addresses #947 and #948.
1353
13549 October 2023: Wouter
1355	- Fix edns subnet so that queries with a source prefix of zero cause
1356	  the recursor send no edns subnet option to the upstream.
1357	- Fix that printout of EDNS options shows the EDNS cookie option by
1358	  name.
1359
13604 October 2023: Wouter
1361	- Fix #946: Forwarder returns servfail on upstream response noerror no
1362	  data.
1363
13643 October 2023: George
1365	- Merge #881: Generalise the proxy protocol code.
1366
13672 October 2023: George
1368	- Fix misplaced comment.
1369
137022 September 2023: Wouter
1371	- Fix #942: 1.18.0 libunbound DNS regression when built without
1372	  OpenSSL.
1373
137418 September 2023: Wouter
1375	- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
1376
137715 September 2023: Wouter
1378	- Merge #936: Check for c99 with autoconf versions prior to 2.70.
1379	- Fix to remove two c99 notations.
1380
138114 September 2023: Wouter
1382	- Fix authority zone answers for obscured DNAMEs and delegations.
1383
13848 September 2023: Wouter
1385	- Fix send of udp retries when ENOBUFS is returned. It stops looping
1386	  and also waits for the condition to go away. Reported by Florian
1387	  Obser.
1388
13897 September 2023: Wouter
1390	- Fix to scrub resource records of type A and AAAA that have an
1391	  inappropriate size. They are removed from responses.
1392	- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
1393	- Fix to add EDE text when RRs have been removed due to length.
1394	- Fix to set ede match in unit test for rr length removal.
1395	- Fix to print EDE text in readable form in output logs.
1396
13976 September 2023: Wouter
1398	- Merge #931: Prevent warnings from -Wmissing-prototypes.
1399
140031 August 2023: Wouter
1401	- Fix autoconf 2.69 warnings in configure.
1402	- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
1403
140430 August 2023: Wouter
1405	- Fix for WKS call to getservbyname that creates allocation on exit
1406	  in unit test by testing numbers first and testing from the services
1407	  list later.
1408
140928 August 2023: Wouter
1410	- Fix for version generation race condition that ignored changes.
1411
141225 August 2023: Wouter
1413	- Fix compile error on NetBSD in util/netevent.h.
1414
141523 August 2023: Wouter
1416	- Tag for 1.18.0rc1 release. This became the 1.18.0 release on
1417	  30 aug 2023, with the fix from 25 aug, fix compile on NetBSD
1418	  included. The repository continues with version 1.18.1.
1419
142022 August 2023: Wouter
1421	- Set version number to 1.18.0.
1422
142321 August 2023: Wouter
1424	- Debug Windows ci workflow.
1425	- Fix windows ci workflow to install bison and flex.
1426	- Fix for #925: unbound.service: Main process exited, code=killed,
1427	  status=11/SEGV. Fixes cachedb configuration handling.
1428	- Fix #923: processQueryResponse() THROWAWAY should be mindful of
1429	  fail_reply.
1430	- Fix unit test for unbound-control to work when threads are disabled,
1431	  and fix cache dump check.
1432
143318 August 2023: Wouter
1434	- Fix for iter_dec_attempts that could cause a hang, part of
1435	  capsforid and qname minimisation, depending on the settings.
1436	- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
1437	- Fix stat_values test to work with dig that enables DNS cookies.
1438
143917 August 2023: Wouter
1440	- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
1441	  RFC9018. Create server cookies for clients that send client cookies.
1442	  This needs to be explicitly turned on in the config file with:
1443	  `answer-cookie: yes`. A `cookie-secret:` can be configured for
1444	  anycast setups. Without one, a random cookie secret is generated.
1445	  The acl option `allow_cookie` allows queries with either a valid
1446	  cookie or over a stateful transport. The statistics output has
1447	  `queries_cookie_valid` and `queries_cookie_client` and
1448	  `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
1449	  value determines a rate limit for queries with cookies, if desired.
1450	- Fix regional_alloc_init for potential unaligned source of the copy.
1451	- Fix ip_ratelimit test to work with dig that enables DNS cookies.
1452
14532 August 2023: George
1454	- Move a cache reply callback in worker.c closer to the cache reply
1455	  generation.
1456
14571 August 2023: George
1458	- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
1459	  when there isn't enough space.
1460	- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
1461	  altogether) before giving up on attaching EDE options.
1462	- More braces and formatting for Fix for EDNS EDE size calculation to
1463	  avoid future bugs.
1464	- Fix to use the now cached EDE, if any, for CD_bit queries.
1465
14661 August 2023: Wouter
1467	- Fix for EDNS EDE size calculation.
1468
146931 July 2023: George
1470	- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
1471	  and subnetcache.
1472
147331 July 2023: Wouter
1474	- iana portlist update.
1475
147630 July 2023: George
1477	- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
1478
147928 July 2023: George
1480	- Fix unused variable compile warning for kernel timestamps in
1481	  netevent.c
1482
148321 July 2023: George
1484	- Merge #857 from eaglegai: fix potential memory leaks when errors
1485	  happen.
1486	- For #857: fix mixed declarations and code.
1487	- Merge #118 from mibere: Changed verbosity level for Redis init &
1488	  deinit.
1489	- Merge #390 from Frank Riley: Add missing callbacks to the python
1490	  module.
1491	- Cleaner failure code for callback functions in interface.i.
1492	- Merge #889 from borisVanhoof: Free memory in error case + remove
1493	  unused function.
1494	- For #889: use netcat-openbsd instead of netcat-traditional.
1495	- For #889: Account for num_detached_states before possible
1496	  mesh_state_delete when erroring out.
1497
149820 July 2023: George
1499	- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
1500	  CLASSXX representation.
1501	- For #909: Fix return values.
1502	- Merge #901 from Sergei Trofimovich: config: improve handling of
1503	  unknown modules.
1504
150520 July 2023: Wouter
1506	- For #909: Fix RR class comparison.
1507
150814 July 2023: George
1509	- More clear description of the different auth-zone behaviors on the
1510	  man page.
1511
151213 July 2023: George
1513	- Merge #880 from chipitsine: services/authzone.c: remove redundant
1514	  check.
1515
151611 July 2023: George
1517	- Merge #664 from tilan7763: Add prefetch support for subnet cache
1518	  entries.
1519	- For #664: Easier code flow for subnetcache prefetching.
1520	- For #664: Add testcase.
1521	- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
1522	  differentiate from the new subnet prefetch support.
1523
15243 July 2023: George
1525	- Merge #739: Add SVCB dohpath support.
1526	- Code cleanup for sldns_str2wire_svcparam_key_lookup.
1527	- Merge #802: add validation EDEs to queries where the CD bit is set.
1528	- For #802: Cleanup comments and add RCODE check for CD bit test case.
1529	- Skip the 00-lint test. splint is not maintained; it either does not
1530	  work or produces false positives. Static analysis is handled in the
1531	  clang test.
1532
15333 July 2023: Wouter
1534	- Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
1535	- Fix dereference of NULL variable warning in mesh_do_callback.
1536
153729 June 2023: George
1538	- More fixes for reference counting for python module and clean up
1539	  failure code.
1540	- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
1541	  which causes memory leaks.
1542
154329 June 2023: Wouter
1544	- Fix python modules with multiple scripts, by incrementing reference
1545	  counts.
1546
154727 June 2023: George
1548	- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
1549	  a new statistical counter.
1550	- Remove warning about unknown cast-function-type warning pragma.
1551
155222 June 2023: Wouter
1553	- Merge #903: contrib: add yocto compatible init script.
1554
155515 June 2023: Philip
1556	- Fix for issue #887 (Timeouts to forward servers on BSD based
1557	  system with ASLR)
1558	- Probably fixes #516 (Stream reuse does not work on Windows) as well
1559
156014 June 2023: George
1561	- Properly handle all return values of worker_check_request during
1562	  early EDE code.
1563	- Do not check the incoming request more than once.
1564
156512 June 2023: Wouter
1566	- Merge #896: Fix: #895: pythonmodule: add all site-packages
1567	  directories to sys.path.
1568	- Fix #895: python + sysconfig gives ANOTHER path comparing to
1569	  distutils.
1570	- Fix for uncertain unit test for doh buffer size events.
1571
157225 May 2023: Wouter
1573	- Fix unbound-dnstap-socket printout when no query is present.
1574	- Fix unbound-dnstap-socket time fraction conversion for printout.
1575
157619 May 2023: Wouter
1577	- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
1578	- Fix to remove unused variables from RPZ clientip data structure.
1579
158016 May 2023: Wouter
1581	- Fix #888: [FR] Use kernel timestamps for dnstap.
1582	- Fix to print debug log for ancillary data with correct IP address.
1583
158411 May 2023: Wouter
1585	- Fix warning in windows compile, in set_recvtimestamp.
1586
15874 May 2023: Wouter
1588	- Fix #885: Error: util/configlexer.c: No such file or directory,
1589	  adds error messages explaining to install flex and bison.
1590	- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
1591	- Fix doxygen in addr_to_nat64 header definition.
1592
15931 May 2023: George
1594	- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
1595	- For #722: minor fixes, formatting, refactoring.
1596
15971 May 2023: Wouter
1598	- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
1599	  they are dropped.
1600
160126 April 2023: Philip
1602	- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
1603
160426 April 2023: Wouter
1605	- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
1606	  sock-queue-timeout option that drops packets that have been in the
1607	  socket queue for too long. Added statistics num.queries_timed_out
1608	  and query.queue_time_us.max that track the socket queue timeouts.
1609	- Fix for #882: small changes, date updated in Copyright for
1610	  util/timeval_func.c and util/timeval_func.h. Man page entries and
1611	  example entry.
1612	- Fix for #882: document variable to stop doxygen warning.
1613
161419 April 2023: Wouter
1615	- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
1616	  Fault on OpenBSD.
1617
161814 April 2023: Wouter
1619	- Merge #875: change obsolete txt URL in unbound-anchor.c to point
1620	  to RFC 7958, and Fix #874.
1621
162213 April 2023: Wouter
1623	- Fix build badge, from failing travis link to github ci action link.
1624
16256 April 2023: Wouter
1626	- Fix for #870: Add test case for the qname minimisation and CNAME.
1627
16284 April 2023: Wouter
1629	- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
1630	  CNAME record.
1631
163224 March 2023: Philip
1633	- Fix issue #676: Unencrypted query is sent when
1634	  forward-tls-upstream: yes is used without tls-cert-bundle
1635	- Extra consistency check to make sure that when TLS is requested,
1636	  either we set up a TLS connection or we return an error.
1637
163821 March 2023: Philip
1639	- Fix issue #851: reserved identifier violation
1640
164120 March 2023: Wouter
1642	- iana portlist update.
1643
164417 March 2023: George
1645	- Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
1646	  to ignore the unexpected eof while reading in openssl >= 3.
1647
164816 March 2023: Wouter
1649	- Fix ssl.h include brackets, instead of quotes.
1650
165114 March 2023: Wouter
1652	- Fix unbound-dnstap-socket test program to reply the finish frame
1653	  over a TLS connection correctly.
1654
165523 February 2023: Wouter
1656	- Fix for #852: Completion of error handling.
1657
165821 February 2023: Philip
1659       - Fix #825: Unexpected behavior with client-subnet-always-forward
1660         and serve-expired
1661
166210 February 2023: George
1663	- Clean up iterator/iterator.c::error_response_cache() and allow for
1664	  better interaction with serve-expired, prefetch and cached error
1665	  responses.
1666
16679 February 2023: George
1668	- Allow TTL refresh of expired error responses.
1669	- Add testcase for refreshing expired error responses.
1670
16719 February 2023: Wouter
1672	- Fix to ignore entirely empty responses, and try at another authority.
1673	  This turns completely empty responses, a type of noerror/nodata into
1674	  a servfail, but they do not conform to RFC2308, and the retry can
1675	  fetch improved content.
1676	- Fix unit tests for spurious empty messages.
1677	- Fix consistency of unit test without roundrobin answers for the
1678	  cnametooptout unit test.
1679	- Fix to git ignore the library symbol file that configure can create.
1680
16818 February 2023: Wouter
1682	- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
1683
168430 January 2023: George
1685	- Add duration variable for speed_local.test.
1686
168726 January 2023: Wouter
1688	- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
1689
169023 January 2023: George
1691	- Fix #833: [FR] Ability to set the Redis password.
1692
169323 January 2023: Wouter
1694	- Fix #835: [FR] Ability to use Redis unix sockets.
1695
169620 January 2023: Wouter
1697	- Merge #819: Added new static zone type block_a to suppress all A
1698	  queries for specific zones.
1699
170019 January 2023: Wouter
1701	- Set max-udp-size default to 1232. This is the same default value as
1702	  the default value for edns-buffer-size. It restricts client edns
1703	  buffer size choices, and makes unbound behave similar to other DNS
1704	  resolvers. The new choice, down from 4096 means it is harder to get
1705	  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
1706	  Tsinghua University.
1707	- Add harden-unknown-additional option. It removes
1708	  unknown records from the authority section and additional section.
1709	  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
1710	- Set default for harden-unknown-additional to no. So that it does
1711	  not hamper future protocol developments.
1712	- Fix test for new default.
1713
171418 January 2023: Wouter
1715	- Fix not following cleared RD flags potentially enables amplification
1716	  DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
1717	  Tsinghua University. The fix stops query loops, by refusing to send
1718	  RD=0 queries to a forwarder, they still get answered from cache.
1719
172013 January 2023: Wouter
1721	- Merge #826: Аdd a metric about the maximum number of collisions in
1722	  lrushah.
1723	- Improve documentation for #826, describe the large collisions amount.
1724
17259 January 2023: Wouter
1726	- Fix python module install path detection.
1727	- Fix python version detection in configure.
1728
17296 January 2023: Wouter
1730	- Fix #823: Response change to NODATA for some ANY queries since
1731	  1.12, tested on 1.16.1.
1732	- Fix wildcard in hyperlocal zone service degradation, reported
1733	  by Sergey Kacheev. This fix is included in 1.17.1rc2.
1734	  That became 1.17.1 on 12 Jan 2023, the code repo continues
1735	  with 1.17.2. 1.17.1 excludes fix #823, it is included forwards.
1736
17375 January 2023: Wouter
1738	- Tag for 1.17.1 release.
1739
17402 January 2023: Wouter
1741	- Fix windows compile for libunbound subprocess reap comm point closes.
1742	- Update github workflows to use checkout v3.
1743
174414 December 2022: George
1745	- Merge #569 from JINMEI Tatuya: add keep-cache option to
1746	  'unbound-control reload' to keep caches.
1747
174813 December 2022: George
1749	- Expose 'statistics-inhibit-zero' as a configuration option; the
1750	  default value retains Unbound's behavior.
1751	- Expose 'max-sent-count' as a configuration option; the
1752	  default value retains Unbound's behavior.
1753	- Merge #461 from Christian Allred: Add max-query-restarts option.
1754	  Exposes an internal configuration but the default value retains
1755	  Unbound's behavior.
1756
175713 December 2022: Wouter
1758	- Merge #808: Wrap Makefile script's directory variables in quotes.
1759	- Fix to wrap Makefile scripts directory in quotes for uninstall.
1760
17611 December 2022: Wouter
1762	- Fix #773: When used with systemd-networkd, unbound does not start
1763	  until systemd-networkd-wait-online.service times out.
1764
176530 November 2022: George
1766	- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
1767	- Clear documentation for interactivity between the subnet module and
1768	  the serve-expired and prefetch configuration options.
1769
177030 November 2022: Wouter
1771	- Fix #782: Segmentation fault in stats.c:404.
1772
177328 November 2022: Wouter
1774	- Fix for the ignore of tcp events for closed comm points, preserve
1775	  the use after free protection features.
1776
177723 November 2022: Philip
1778	- Merge #720 from jonathangray: fix use after free when
1779	  WSACreateEvent() fails.
1780
178122 November 2022: George
1782	- Ignore expired error responses.
1783
178411 November 2022: Wouter
1785	- Fix #779: [doc] Missing documentation in ub_resolve_event() for
1786	  callback parameter was_ratelimited.
1787
17889 November 2022: George
1789	- Complementary fix for distutils.sysconfig deprecation in Python 3.10
1790	  to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
1791
17928 November 2022: Wouter
1793	- Fix to ignore tcp events for closed comm points.
1794	- Fix to make sure to not read again after a tcp comm point is closed.
1795	- Fix #775: libunbound: subprocess reap causes parent process reap
1796	  to hang.
1797	- iana portlist update.
1798
179921 October 2022: George
1800	- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
1801	  unbound.conf.5.
1802
180321 October 2022: Wouter
1804	- Fix that cachedb does not store failures in the external cache.
1805
180618 October 2022: George
1807	- Clarify the use of MAX_SENT_COUNT in the iterator code.
1808
180917 October 2022: Wouter
1810	- testcode/dohclient sets log identity to its name.
1811
181214 October 2022: Wouter
1813	- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
1814	  extension.
1815	- In unit test, print python script name list correctly.
1816
181713 October 2022: Wouter
1818	- Tag for 1.17.0 release. The code repository continues with 1.17.1.
1819
182011 October 2022: George
1821	- Fix PROXYv2 header read for TCP connections when no proxied addresses
1822	  are provided.
1823
18247 October 2022: Wouter
1825	- Tag for 1.17.0rc1 release.
1826
18277 October 2022: George
1828	- Fix to stop possible loops in the tcp reuse code (write_wait list
1829	  and tcp_wait list). Based on analysis and patch from Prad Seniappan
1830	  and Karthik Umashankar.
1831	- Fix unit test to properly test the reuse_write_wait_pop function.
1832
18336 October 2022: Wouter
1834	- Fix to stop responses with TC flag from resulting in partial
1835	  responses. It retries to fetch the data elsewhere, or fails the
1836	  query and in depth fix removes the TC flag from the cached item.
1837	- Fix proxy length debug output printout typecasts.
1838
18395 October 2022: Wouter
1840	- Fix dnscrypt compile for proxy protocol code changes.
1841
18425 October 2022: George
1843	- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
1844	- Fix string comparison in mini_tdir.sh.
1845	- Make ede.tdir test more predictable by using static data.
1846	- Fix checkconf test for dnscrypt and proxy port.
1847
18484 October 2022: George
1849	- Merge #764: Leniency for target discovery when under load (for
1850	  NRDelegation changes).
1851
18524 October 2022: Wouter
1853	- Fix static analysis report to remove dead code from the
1854	  rpz_callback_from_iterator_module function.
1855	- Fix to clean up after the acl_interface unit test.
1856
18573 October 2022: George
1858	- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
1859	  configuration option).
1860
18613 October 2022: Wouter
1862	- Fix to remove erroneous TC flag from TCP upstream.
1863	- Fix test tdir skip report printout.
1864	- Fix windows compile, the identifier interface is defined in headers.
1865	- Fix to close errno block in comm_point_tcp_handle_read outside of
1866	  ifdef.
1867
186826 September 2022: George
1869	- Better output for skipped tdir tests.
1870
187121 September 2022: Wouter
1872	- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
1873	- This patch was released in 1.16.3, the code repository continues
1874	  with the previous features and fixes for 1.17.0.
1875	- Fix doxygen warning in respip.h.
1876
187720 September 2022: George
1878	- Convert tdir tests to use the new skip_test functionality.
1879	- Remove unused testcode/mini_tpkg.sh file.
1880
188116 September 2022: George
1882	- Merge #753: ACL per interface. (New interface-* configuration
1883	  options).
1884
18852 September 2022: Wouter
1886	- Remove include that was there for debug purposes.
1887	- Fix to check pthread_t size after pthread has been detected.
1888
18891 September 2022: Wouter
1890	- Fix to update config tests to fix checking if nonblocking sockets
1891	  work on OpenBSD.
1892	- Slow down log frequency of write wait failures.
1893	- Fix to set out of file descriptor warning to operational verbosity.
1894	- Fix to log a verbose message at operational notice level if a
1895	  thread is not responding, to stats requests. It is logged with
1896	  thread identifiers.
1897
189831 August 2022: Wouter
1899	- Fix to avoid process wide fcntl calls mixed with nonblocking
1900	  operations after a blocked write.
1901	- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
1902	  operations, so that instruction reordering does not cause mistakenly
1903	  blocking socket operations.
1904	- Fix to wait for blocked write on UDP sockets, with a timeout if it
1905	  takes too long the packet is dropped.
1906	- Fix for wait for udp send to stop when packet is successfully sent.
1907
190822 August 2022: Wouter
1909	- Fix #741: systemd socket activation fails on IPv6.
1910
191112 August 2022: Wouter
1912	- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
1913	  per 10 seconds. Also log accept failures when no slow down is used.
1914
19155 August 2022: Wouter
1916	- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
1917	  errors.
1918
19194 August 2022: Wouter
1920	- Fix ratelimit inconsistency, for ip-ratelimits the value is the
1921	  amount allowed, like for ratelimits.
1922
19232 August 2022: Wouter
1924	- Fix edns subnet so that scope 0 answers only match sourcemask 0
1925	  queries for answers from cache if from a query with sourcemask 0.
1926	- Fix unittest for edns subnet change.
1927	- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
1928	  to unsupported IPV6_USER_MTU socket option being set.
1929
19301 August 2022: Wouter
1931	- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
1932	- Tests for ghost domain fixes.
1933	- Tag for 1.16.2 release. The code repo continues with 1.16.3.
1934	- Fix #728: alloc_reg_obtain() core dump. Stop double
1935	  alloc_reg_release when serviced_create fails.
1936
193719 July 2022: George
1938	- Update documentation for 'outbound-msg-retry:'.
1939
194019 July 2022: Wouter
1941	- Merge #718: Introduce infra-cache-max-rtt option to config max
1942	  retransmit timeout.
1943
194415 July 2022: Wouter
1945	- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
1946	  And fixup the lock code.
1947	- iana portlist update.
1948
194912 July 2022: George
1950	- For windows crosscompile, fix setting the IPV6_MTU socket option
1951	  equivalent (IPV6_USER_MTU); allows cross compiling with latest
1952	  cross-compiler versions.
1953
195412 July 2022: Wouter
1955	- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
1956
195711 July 2022: Wouter
1958	- Fix verbose EDE error printout.
1959
19604 July 2022: George
1961	- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
1962	  one loop pass'.
1963	- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
1964	  outbound tcp sockets.
1965
19664 July 2022: Wouter
1967	- Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
1968	  The code repo continues with version 1.16.2 under development.
1969
19703 July 2022: George
1971	- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
1972	  mode on openssl3.
1973	- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
1974	- For #660: formatting, less verbose logging, add EDE information.
1975	- Fix for correct openssl error when adding windows CA certificates to
1976	  the openssl trust store.
1977	- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
1978	- Reintroduce documentation and more EDE support for
1979	  val_sigcrypt.c::dnskeyset_verify_rrset_sig.
1980
19811 July 2022: George
1982	- Merge PR #706: NXNS fallback.
1983	- From #706: Cached NXDOMAIN does not increase the target nx
1984	  responses.
1985	- From #706: Don't generate parent side queries if we already
1986	  have the lame records in cache.
1987	- From #706: When a lame address is the best choice, don't try to
1988	  generate target queries when the missing targets are all lame.
1989
199029 June 2022: Wouter
1991	- iana portlist update.
1992	- Fix detection of libz on windows compile with static option.
1993	- Fix compile warning for windows compile.
1994
199529 June 2022: George
1996	- Add debug option to the mini_tdir.sh test code.
1997	- Fix #704: [FR] Statistics counter for number of outgoing UDP queries
1998	  sent; introduces 'num.query.udpout' to the 'unbound-control stats'
1999	  command.
2000	- Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
2001	- Allow fallback to the parent side when MAX_TARGET_NX is reached.
2002	  This will also allow MAX_TARGET_NX more NXDOMAINs.
2003
200428 June 2022: George
2005	- Show the output of the exact .rpl run that failed with 'make test'.
2006	- Fix for cached 0 TTL records to not trigger prefetching when
2007	  serve-expired-client-timeout is set.
2008
200928 June 2022: Wouter
2010	- Fix test program dohclient close to use portability routine.
2011
201223 June 2022: Tom
2013	- Clarify -v flag manpage entry (#705)
2014
201522 June 2022: Philip
2016	- Fix #663: use after free issue with edns options.
2017
201821 June 2022: Philip
2019	- Fix for loading locally stored zones that have lines with blanks or
2020	  blanks and comments.
2021
202220 June 2022: George
2023	- Remove unused LDNS function check for GOST Engine unloading.
2024
202514 June 2022: George
2026	- Merge PR #688: Rpz url notify issue.
2027	- Note in the unbound.conf text that NOTIFY is allowed from the url:
2028	  addresses for auth and rpz zones.
2029
20303 June 2022: George
2031	- Fix for edns client subnet to respect not looking in its cache when
2032	  instructed to do so (e.g., prefetch).
2033
20343 June 2022: Wouter
2035	- makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
2036
203727 May 2022: Wouter
2038	- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions)
2039	- Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
2040	  became release 1.16.0 on 2 June 2022. The source code branch
2041	  continues with version 1.16.1 under development.
2042
204320 May 2022: Wouter
2044	- Fix to silence test for ede error output to the console from the
2045	  test setup script.
2046	- Fix ede test to not use default pidfile, and use local interface.
2047	- Fix some lint type warnings.
2048
204918 May 2022: George
2050	- Fix typos in config_set_option for the 'num-threads' and
2051	  'ede-serve-expired' options.
2052
205315 May 2022: George
2054	- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
2055	  by updating unbound-control's documentation.
2056
205712 May 2022: George
2058	- Fix #417: prefetch and ECS causing cache corruption when used
2059	  together.
2060
206112 May 2022: Wouter
2062	- Merge #677: Allow using system certificates not only on Windows,
2063	  from pemensik.
2064	- For #677: Added tls-system-cert to config parser and documentation.
2065
206611 May 2022: Wouter
2067	- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
2068	  host.
2069
207010 May 2022: George
2071	- Fix Python build in non-source directory; based on patch by
2072	  Michael Tokarev.
2073
20746 May 2022: Tom
2075	- Merge PR #604: Add basic support for EDE (RFC8914).
2076
207728 April 2022: Wouter
2078	- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
2079	  OpenBSD 7.1.
2080
20818 April 2022: Wouter
2082	- Fix zonemd check to allow unsupported algorithms to load.
2083	  If there are only unsupported algorithms, or unsupported schemes,
2084	  and no failed or successful other ZONEMD records, or malformed
2085	  or bad ZONEMD records, the unsupported records allow the zone load.
2086	- Fix zonemd unsupported algo check.
2087	- Fix zonemd unsupported algo check reason to not copy to next record,
2088	  and check for success for debug printout.
2089	- Fix zonemd unsupported algo check to print unsupported reason before
2090	  zeroing it.
2091	- Fix zonemd unsupported algo check to set reason to NULL before the
2092	  check routine, but after malformed checks, to get the correct NULL
2093	  output when the digest matches.
2094
209525 March 2022: Wouter
2096	- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
2097
209823 March 2022: Wouter
2099	- Fix #651: [FR] Better logging for refused queries.
2100
210118 March 2022: George
2102	- Merge PR #648 from eaglegai: fix -q doesn't work when use with
2103	  'unbound-control stats_shm'.
2104
210517 March 2022: Wouter
2106	- Fix to describe auth-zone and other configuration at the local-zone
2107	  configuration option, to allow for more broadly view of the options.
2108
210916 March 2022: Wouter
2110	- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
2111
21129 March 2022: Wouter
2113	- Merge #644: Make `install-lib` make target install the pkg-config
2114	  file.
2115
21167 March 2022: Wouter
2117	- Fix configure for python to use sysutils, because distutils is
2118	  deprecated. It uses sysutils when available, distutils otherwise.
2119
21203 March 2022: Wouter
2121	- Fix #637: Integer Overflow in sldns_str2period function.
2122	- Fix for #637: fix integer overflow checks in sldns_str2period.
2123
21242 March 2022: George
2125	- Merge PR #632 from scottrw93: Match cnames in ipset.
2126	- Various fixes for #632: variable initialisation, convert the qinfo
2127	  to str once, accept trailing dot in the local-zone ipset option.
2128
21292 March 2022: Wouter
2130	- Fix compile warnings for printf ll format on mingw compile.
2131
21321 March 2022: Wouter
2133	- Fix pythonmod for change in iter_dp_is_useless function prototype.
2134
213528 February 2022: George
2136	- Fix #630: Unify the RPZ log messages.
2137	- Merge #623 from rex4539: Fix typos.
2138
213928 February 2022: Wouter
2140	- Fix #633: Document unix domain socket support for unbound-control.
2141	- Fix for #633: updated fix with new text.
2142	- Fix edns client subnet to add the option based on the option list,
2143	  so that it is not state dependent, after the state fix of #605 for
2144	  double EDNS options.
2145	- Fix for edns client subnet option add fix in removal code, from review.
2146
214725 February 2022: Wouter
2148	- Fix to detect that no IPv6 support means that IPv6 addresses are
2149	  useless for delegation point lookups.
2150	- update Makefile dependencies.
2151	- Fix check interface existence for support detection in remote lookup.
2152
215318 February 2022: Wouter
2154	- Fix that address not available is squelched from the logs for
2155	  udp connect failures. It is visible on verbosity 4 and more.
2156	- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
2157	  ERR_GET_REASON.
2158
215916 February 2022: Wouter
2160	- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
2161
216215 February 2022: Wouter
2163	- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
2164
216511 February 2022: Wouter
2166	- Fix #624: Unable to stop Unbound in Windows console (does not
2167	  respond to CTRL+C command).
2168	- Fix #618: enabling interface-automatic disables DNS-over-TLS.
2169	  Adds the option to list interface-automatic-ports.
2170	- Remove debug info from #618 fix.
2171
21727 February 2022: Wouter
2173	- Fix that TCP interface does not use TLS when TLS is also configured.
2174
21754 February 2022: Wouter
2176	- Fix #412: cache invalidation issue with CNAME+A.
2177
21783 February 2022: Wouter
2179	- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
2180	- Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
2181	  The repository continues with version 1.15.1.
2182
21832 February 2022: George
2184	- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
2185	- Merge PR #616: Update ratelimit logic. It also introduces
2186	  ratelimit-backoff and ip-ratelimit-backoff configuration options.
2187	- Change aggressive-nsec default to yes.
2188	- Merge PR #617: Update stub/forward-host notation to accept port and
2189	  tls-auth-name.
2190	- Update stream_ssl.tdir test to also use the new forward-host
2191	  notation.
2192
21932 February 2022: Wouter
2194	- Update version number in repo to 1.15.0 for upcoming release,
2195	  since it changes the aggressive-nsec default and the ratelimit change.
2196	- Fix header comment for doxygen for authextstrtoaddr.
2197	- please clang analyzer for loop in test code.
2198	- Fix docker splint test to use more portable uname.
2199	- Update contrib/aaaa-filter-iterator.patch with diff for current
2200	  software version.
2201
22021 February 2022: George
2203	- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
2204	  internals.
2205
220631 January 2022: George
2207	- Fix review comment for use-after-free when failing to send UDP out.
2208
220931 January 2022: Wouter
2210	- iana portlist update.
2211
221229 January 2022: George
2213	- Fix tls-* and ssl-* documented alternate syntax to also be available
2214	  through remote-control and unbound-checkconf.
2215	- Better cleanup on failed DoT/DoH listening socket creation.
2216
221726 January 2022: George
2218	- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
2219	  document.
2220
222126 January 2022: Wouter
2222	- Test for NSID in SERVFAIL response due to DNSSEC bogus.
2223
222425 January 2022: George
2225	- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
2226	  serviced_udp_callback.
2227	- Merge PR #612: TCP race condition.
2228
222925 January 2022: Wouter
2230	- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
2231
223219 January 2022: George
2233	- For dnstap, do not wakeupnow right there. Instead zero the timer to
2234	  force the wakeup callback asap.
2235
223614 January 2022: George
2237	- Merge PR #605:
2238	  - Fix EDNS to upstream where the same option could be attached
2239	     more than once.
2240	  - Add a region to serviced_query for allocations.
2241
224214 January 2022: Wouter
2243	- Add rpz: for-downstream: yesno option, where the RPZ zone is
2244	  authoritatively answered for, so the RPZ zone contents can be
2245	  checked with DNS queries directed at the RPZ zone.
2246	- For #602: Allow the module-config "subnetcache validator cachedb
2247	  iterator".
2248
224911 January 2022: George
2250	- Fix prematurely terminated TCP queries when a reply has the same ID.
2251
22527 January 2022: Wouter
2253	- Merge #600 from pemensik: Change file mode before changing file
2254	  owner.
2255
22565 January 2022: Wouter
2257	- Fix for #596: fix that rpz return message is returned and not just
2258	  the rcode from the iterator return path. This fixes signal unset RA
2259	  after a CNAME.
2260	- Fix unit tests for rpz now that the AA flag returns successfully from
2261	  the iterator loop.
2262	- Fix for #596: add unit test for nsdname trigger and signal unset RA.
2263	- Fix for #596: add unit test for nsip trigger and signal unset RA.
2264	- Fix #598: Fix unbound-checkconf fatal error: module conf
2265	  'respip dns64 validator iterator' is not known to work.
2266	- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
2267	  triggered operation.
2268
22694 January 2022: Wouter
2270	- Fix #596: unset the RA bit when a query is blocked by an unbound
2271	  RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
2272	  signal that a domain is externally blocked to clients when it
2273	  is blocked with NXDOMAIN by unsetting RA.
2274	- Fix to add test for rpz-signal-nxdomain-ra.
2275	- Fix #596: only unset RA when NXDOMAIN is signalled.
2276	- Fix that RPZ does not set RD flag on replies, it should be copied
2277	  from the query.
2278
227922 December 2021: George
2280	- contrib/aaaa-filter-iterator.patch file renewed diff content to
2281	  apply cleanly to the current coderepo for the current code version.
2282
228320 December 2021: George
2284	- Fix #591: Unbound-anchor manpage links to non-existent license file.
2285
228613 December 2021: George
2287	- Add missing configure flags for optional features in the
2288	  documentation.
2289	- Fix Unbound capitalization in the documentation.
2290
229113 December 2021: Wouter
2292	- Fix to pick up other class local zone information before unlock.
2293
229410 December 2021: George
2295	- Allow local-data for classes other than IN to inherit a configured
2296	  local-zone's type if possible, instead of defaulting to type
2297	  transparent as per the implicit rule.
2298
229910 December 2021: Wouter
2300	- Add code similar to fix for ldns for tab between strings, for
2301	  consistency, the test case was not broken.
2302
23036 December 2021: Wouter
2304	- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
2305	  warnings in rpz.
2306	- Fix validator debug output about DS support, print correct algorithm.
2307
23083 December 2021: Wouter
2309	- Fix compile warning for if_nametoindex on windows 64bit.
2310
23111 December 2021: Wouter
2312	- configure is set to 1.14.0, and release branch.
2313	  This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
2314	  fix below included. The main branch continues as 1.14.1.
2315	- Fix doc/unbound.doxygen to remove obsolete tag warning.
2316
23171 December 2021: George
2318	- Merge PR #511 from yan12125: Reduce unnecessary linking.
2319	- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
2320	- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
2321	  link-local addresses.
2322	- Merge PR #562 from Willem: Reset keepalive per new tcp session.
2323	- Merge PR #522 from sibeream: memory management violations fixed.
2324	- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
2325	- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
2326	- Fix #574: Review fixes for size allocation.
2327
232830 November 2021: Wouter
2329	- Fix to remove git tracking and ci information from release tarballs.
2330	- iana portlist update.
2331
233229 November 2021: Wouter
2333	- Merge PR #570 from rex4539: Fix typos.
2334	- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
2335	- Fix to make python module opt_list use opt_list_in.
2336	- Fix #574: unbound-checkconf reports fatal error if interface names
2337	  are used as value for interfaces:
2338	- Fix #574: Review fixes for it.
2339	- Fix #576: [FR] UB_* error codes in unbound.h
2340	- Fix #574: Review fix for spelling.
2341
234215 November 2021: Tom
2343	- Improve EDNS option handling, now also works for synthesised
2344	  responses such as local-data and server.id CH TXT responses.
2345
23465 November 2021: George
2347	- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
2348	  reclaimed more than once during callbacks.
2349	- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
2350
23515 November 2021: Wouter
2352	- Fix that forward-zone name is documented as the full name of the
2353	  zone. It is not relative but a fully qualified domain name.
2354	- Fix analyzer review failure in rpz action override code to not
2355	  crash on unlocking the local zone lock.
2356	- Fix to remove unused code from rpz resolve client and action
2357	  function.
2358	- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
2359
23602 November 2021: Wouter
2361	- Fix #552: Unbound assumes index.html exists on RPZ host.
2362
236311 October 2021: Wouter
2364	- Fix chaos replies to have truncation for short message lengths,
2365	  or long reply strings.
2366	- Fix to protect custom regional create against small values.
2367
23684 October 2021: Wouter
2369	- Fix to add example.conf note for outbound-msg-retry.
2370
237127 September 2021: Wouter
2372	- Implement RFC8375: Special-Use Domain 'home.arpa.'.
2373
237421 September 2021: Wouter
2375	- For crosscompile on windows, detect 64bit stackprotector library.
2376	- Fix crosscompile shell syntax.
2377	- Fix crosscompile windows to use libssp when it exists.
2378	- For the windows compile script disable gost.
2379	- Fix that on windows, use BIO_set_callback_ex instead of deprecated
2380	  BIO_set_callback.
2381	- Fix crosscompile script for the shared build flags.
2382
238320 September 2021: Wouter
2384	- Fix crosscompile on windows to work with openssl 3.0.0 the
2385	  link with ws2_32 needs -l:libssp.a for __strcpy_chk.
2386	  Also copy results from lib64 directory if needed.
2387
238810 September 2021: Wouter
2389	- Fix initialisation errors reported by gcc sanitizer.
2390	- Fix lock debug code for gcc sanitizer reports.
2391	- Fix more initialisation errors reported by gcc sanitizer.
2392
23938 September 2021: Wouter
2394	- Merged #41 from Moritz Schneider: made outbound-msg-retry
2395	  configurable.
2396	- Small fixes for #41: changelog, conflicts resolved,
2397	  processQueryResponse takes an iterator env argument like other
2398	  functions in the iterator, no colon in string for set_option,
2399	  and some whitespace style, to make it similar to the rest.
2400	- Fix for #41: change outbound retry to int to fix signed comparison
2401	  warnings.
2402	- Fix root_anchor test to check with new icannbundle date.
2403
24043 September 2021: Wouter
2405	- Fix #538: Fix subnetcache statistics.
2406
24071 September 2021: Wouter
2408	- Fix tcp fastopen failure when disabled, try normal connect instead.
2409
241027 August 2021: Wouter
2411	- Fix #533: Negative responses get cached even when setting
2412	  cache-max-negative-ttl: 1
2413
241425 August 2021: Wouter
2415	- Merge #401: RPZ triggers. This add additional RPZ triggers,
2416	  unbound supports a full set of rpz triggers, and this now
2417	  includes nsdname, nsip and clientip triggers. Also actions
2418	  are fully supported, and this now includes the tcp-only action.
2419	- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
2420	  to insert into RPZ.
2421	- Fix the stream wait stream_wait_count_lock and http2 buffer locks
2422	  setup and desetup from race condition.
2423	- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
2424	  zone does not find the zone. Readlock the clientip that is found
2425	  for ipbased triggers. Unlock the nsdname zone lock when done.
2426	  Unlock zone and ip in rpz nsip and nsdname callback. Unlock
2427	  authzone and localzone if clientip found in rpz worker call.
2428	- Fix compile warning in libunbound for listen desetup routine.
2429	- Fix asynclook unit test for setup of lockchecks before log.
2430
243120 August 2021: Wouter
2432	- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
2433	  undefined.
2434	- Fix #531: Fix: passed to proc after free.
2435
243617 August 2021: Wouter
2437	- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
2438	  location of a different openssl version.
2439	- Fix #527: not sending quad9 cert to syslog (and may be more).
2440	- Fix sed script in ssldir split handling.
2441
244216 August 2021: George
2443	- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
2444	  static.
2445
244616 August 2021: Wouter
2447	- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
2448
244913 August 2021: Wouter
2450	- Support using system-wide crypto policies.
2451	- Fix for #431: Squelch permission denied errors for udp connect,
2452	  and udp send, they are visible at higher verbosity settings.
2453	- Fix zonemd verification of key that is not in DNS but in the zone
2454	  and needs a chain of trust.
2455	- zonemd, fix order of bogus printout string manipulation.
2456
245712 August 2021: George
2458	- Merge PR #514, from ziollek: Docker environment for run tests.
2459	- For #514: generate configure.
2460
246112 August 2021: Wouter
2462	- And 1.13.2rc1 became the 1.13.2 with the fix for the python module
2463	  build. The current code repository continues with version 1.13.3.
2464	- Add test tool readzone to .gitignore.
2465	- Merge #521: Update mini_event.c.
2466	- Merge #523: fix: free() call more than once with the same pointer.
2467	- Merge #519: Support for selective enabling tcp-upstream for
2468	  stub/forward zones.
2469	- For #519: note stub-tcp-upstream and forward-tcp-upstream in
2470	  the example configuration file.
2471	- For #519: yacc and lex. And fix python bindings, and test program
2472	  unbound-dnstap-socket.
2473	- For #519: fix comments for doxygen.
2474	- Fix to print error from unbound-anchor for writing to the key
2475	  file, also when not verbose.
2476
24775 August 2021: Wouter
2478	- Tag for 1.13.2rc1 release.
2479	- Fix #520: Unbound 1.13.2rc1 fails to build python module.
2480
24814 August 2021: George
2482	- Merge PR #415 from sibeream: Use
2483	  /proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
2484	  ports. (New --enable-linux-ip-local-port-range configuration option)
2485	- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
2486	  allows longer CNAME chains in Unbound.
2487
24884 August 2021: Wouter
2489	- In unit test use openssl set security level to allow keys in test.
2490	- Fix static analysis warnings about localzone locks that are unused.
2491	- Fix missing locks in zonemd unit test.
2492	- Fix readzone compile under debug config.
2493	- Fix out of sourcedir run of zonemd unit tests.
2494	- Fix libnettle zonemd unit test.
2495	- Fix unit test zonemd_reload for use in run_vm.
2496
24973 August 2021: George
2498	- Listen to read or write events after the SSL handshake.
2499	  Sticky events on windows would stick on read when write was needed.
2500
25013 August 2021: Wouter
2502	- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
2503	  function that need to reuse the dns answer.
2504	- Annotate assertion into error printout; we think it may be an
2505	  error, but the situation looks harmless.
2506	- Fix sign comparison warning on FreeBSD.
2507
25082 August 2021: Wouter
2509	- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
2510	  keyraw functions to produce EVP_PKEY results.
2511	- Move RSA and DSA to use OpenSSL 3.0.0 API.
2512	- Move ECDSA functions to use OpenSSL 3.0.0 API.
2513	- iana portlist update.
2514	- Fix verbose printout failure in tcp reuse unit test.
2515
251630 July 2021: Wouter
2517	- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
2518	  build unbound.
2519	- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
2520	  SSL_get_peer_certificate.
2521	- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
2522
252326 July 2021: George
2524	- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
2525	  introduces a couple of fixes for the stream reuse functionality
2526	  that could result in broken internal structures.
2527
252826 July 2021: Wouter
2529	- Merge #512: unbound.service.in: upgrade hardening to latest
2530	  standards.
2531	- Fix readzone unknown type print for memory resize.
2532
253321 July 2021: Wouter
2534	- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
2535	  line after a comment.
2536
253716 July 2021: George
2538	- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
2539
254016 July 2021: Wouter
2541	- Merge #510 from ndptech: Don't call a function which hasn't been
2542	  defined.
2543	- Fix for #510: in depth, use ifdefs for windows api event calls.
2544	- Fix spelling in doc/unbound.doxygen comment.
2545	- Fix spelling in localzone.h comment.
2546	- Fix unbound-control local_data and local_datas to print detailed
2547	  syntax errors.
2548	- review fix to remove duplicate error printout.
2549	- Insert header into testcode/readzone.c, it was missing.
2550	- Fix from lint for ignored return value.
2551	- Fix for older parsers for function call in serve expired get cached.
2552
25536 July 2021: Wouter
2554	- iana portlist update.
2555
25565 July 2021: George
2557	- Fix compiler warnings for #491.
2558	- Fix clang-analysis warnings for testcode/readzone.c.
2559
25604 July 2021: George
2561	- Fix Wunused-result compile warnings.
2562
25632 July 2021: Tom
2564	- Merge PR #491: Add SVCB and HTTPS types and handling according to
2565	  draft-ietf-dnsop-svcb-https.
2566
25672 July 2021: Wouter
2568	- Fix #506: Python Module Seems to Leak Memory if it Experiences an
2569	  Unhandled Exception.
2570
257125 June 2021: Wouter
2572	- Fix up permissions on rpl data file in tests.
2573	- Fix testbound newline treatment in moment_read and tempfile write.
2574	- Fix configure grep for reuseport default for failure.
2575	- Fix compat ctime_r return value
2576	- Fix configure does not require pkg-config if not needed.
2577	- Fix unit test in the ctime_r calls for autotrust and in testbound.
2578	- Fix auth zone download on windows to unlink before rename.
2579
258024 June 2021: Wouter
2581	- Add analyzer and port compile github workflow.
2582
258323 June 2021: Wouter
2584	- Fix #503: DNS over HTTPS response truncated.
2585	- Fix warnings reported by the gcc analyzer.
2586
258721 June 2021: George
2588	- Fix #495: Documentation or implementation of "verbosity" option.
2589
259018 June 2021: Wouter
2591	- Fix a number of warnings reported by the gcc analyzer.
2592
259315 June 2021: George
2594	- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
2595
259614 June 2021: Wouter
2597	- Fix configure nonblocking test and onmingw test to use host.
2598
259910 June 2021: Wouter
2600	- Fix #500: SPEC file in version 1.13.1 references version 1.4;
2601	  unable to build RPM from source.
2602	- Fix contrib/unbound.spec, fixed url and comment.
2603
26049 June 2021: George
2605	- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
2606	- Generated lexer and parser for #486; updated example.conf.
2607	- Fix #413 (based on patch by k-ronny): unbound: does not compile
2608	  on macOS 11.1-x86_64 host.
2609	- Use host_os instead of target_os in configure for Darwin8 build.
2610
26118 June 2021: George
2612	- Fix unused variable warning when compiling with --enable-dnstap.
2613
26147 June 2021: George
2615	- Merge #448 from shoeper: Update unbound-control.8.in, fix
2616	  rpz_disable typo.
2617	- Fix #425: Document auth-zone supports communication with DNS
2618	  primary on nondefault port.
2619
26201 June 2021: George
2621	- Fix test for zonemd-check option.
2622
262327 May 2021: Wouter
2624	- Merge #496 from banburybill: Use build system endianness if
2625	  available, otherwise try to work it out.
2626	- zonemd-check: yesno option, default no, enables the processing
2627	  of ZONEMD records for that zone.
2628
262925 May 2021: Wouter
2630	- Move the NSEC3 max iterations count in line with the 150 value
2631	  used by BIND, Knot and PowerDNS. This sets the default value
2632	  for it in the configuration to 150 for all key sizes.
2633	- Fix #492: module-config respip missing in unbound.conf.5.in man
2634	  page. Merges #494 from he32.
2635	- For #492: Fix font highlighting for the man page on emacs.
2636
263721 May 2021: Wouter
2638	- Test code has -q option for quiet output.
2639
264019 May 2021: George
2641	- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
2642	  between TCP streams.
2643	- Refactor for uniform way to produce random DNS message IDs.
2644
264517 May 2021: Wouter
2646	- Fix #489: Compile using MSYS2 MinGW 64-bit.
2647
264812 May 2021: Wouter
2649	- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
2650
265110 May 2021: Wouter
2652	- Merge PR #487: ifdef RLIMIT_AS in recently added check.
2653
26547 May 2021: Wouter
2655	- Fix #485: Unbound occasionally reports broken stats.
2656	- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
2657	- Remove case fallthrough from deprecate-rsa-1024 code.
2658
26594 May 2021: George
2660	- Fix for #367: only attempt to get the interface for queries that are no
2661	  longer on the tcp_waiting_list.
2662	- Add more logging for out-of-memory cases.
2663
26644 May 2021: Wouter
2665	- Merge #478: Allow configuration of TCP timeout while waiting for
2666	  response.
2667	- Fix to squelch tcp socket bind failures when the interface is gone.
2668	- Rerun flex and bison.
2669
26703 May 2021: Wouter
2671	- Fix #481: Fix comment in configuration file.
2672
267329 April 2021: Wouter
2674	- Add that log-servfail prints an IP address and more information
2675	  about one of the last failures for that query.
2676
267728 April 2021: George
2678	- Fix compiler warning for signed/unsigned comparison for
2679	  max_reuse_tcp_queries.
2680
268128 April 2021: Wouter
2682	- Fix #474: always_null and others inside view.
2683
268426 April 2021: Wouter
2685	- Merge #470 from edevil: Allow configuration of persistent TCP
2686	  connections.
2687
268822 April 2021: Wouter
2689	- Merge #466 from FGasper: Support OpenSSLs that lack
2690	  SSL_get0_alpn_selected.
2691	- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
2692	- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
2693	  OpenSSL 1.0.1.
2694	- Fix that testcode dohclient has OpenSSL initialisation calls.
2695
269613 April 2021: George
2697	- Fix documentation comment for files previously residing in checkconf/.
2698	- Remove unused functions worker_handle_reply and libworker_handle_reply.
2699
270013 April 2021: Wouter
2701	- Fix that nxdomain synthesis does not happen above the stub or
2702	  forward definition.
2703
270412 April 2021: George
2705	- Fix (increase) verbosity level for iterator error log in
2706	  processQueryTargets().
2707
270812 April 2021: Wouter
2709	- Fix permission denied sendto log, squelch the log messages
2710	  unless high verbosity is set.
2711
27129 April 2021: Wouter
2713	- rebuild configure to set EXTRALINK to libunbound.la for #460.
2714
27157 April 2021: Wouter
2716	- Fix for #411: Depth protect for crash on deleted element timeout.
2717
27181 April 2021: Wouter
2719	- Merge #460 from orbea: build: Link with the libtool archive.
2720	- Fix to stop IPv6 PMTU discovery.
2721
272231 March 2021: George
2723	- Clean makedist.sh.
2724
272531 March 2021: Wouter
2726	- Fix stack-protector change to not override other CFLAGS options.
2727
272830 March 2021: George
2729	- Disable the use of stack-protector for cross compiled 32-bit windows
2730	  builds; relates to #444.
2731
273225 March 2021: Wouter
2733	- Fix #429: Also fix end of transfer for http download of auth zones.
2734
273524 March 2021: Wouter
2736	- Fix deprecation test to work for iOS TVOS and WatchOS, it uses
2737	  CFLAGS and CPPFLAGS and also checks if the item is unavailable.
2738	- Travis, fix script to fail when tasks fail.
2739	- Travis, fix warning in ubsan compile.
2740	- Fix configure Targetconfiditionals.h header check, to use compile.
2741	- Fix that cachedb does not produce empty object files when disabled.
2742
274323 March 2021: Wouter
2744	- Travis enable all tests again. Clang analyzer only a couple times,
2745	  when there is a difference. homebrew updates disabled, so it does
2746	  not hang. removed trailing slashes from configure paths. Moved iOS
2747	  tests to allow-failure.
2748	- travis, analyzer disabled on test without debug, that does not
2749	  run anyway.  Turn off failing tests except one.  Update iOS test
2750	  to xcode image 12.2.
2751
275222 March 2021: George
2753	- Fix unused-function warning when compiling with --enable-dnscrypt.
2754	- Fix for #367: fix memory leak when cannot bind to listening port.
2755	- Reformat pythonmod/pythonmod_utils.{c,h}.
2756
275722 March 2021: Wouter
2758	- Merge #449 from orbea: build: Add missing linker flags.
2759	- iana portlist update.
2760	- Comment out nonworking OSX and IOS travis tests, vm fails to start.
2761	- Fix compile error in listen_dnsport on Android.
2762	- Fix memory leak reported by asan in rpz SOA record query name.
2763
276419 March 2021: Wouter
2765	- Fix for #447: squelch connection refused tcp connection failures
2766	  from the log, unless verbosity is high.
2767
276817 March 2021: Wouter
2769	- Fix #441: Minimal NSEC range not accepted for top level domains.
2770
277111 March 2021: Wouter
2772	- Fix parse of LOC RR type for decimetres.
2773
27745 March 2021: Wouter
2775	- Workaround for #439: prevent loops in the reuse rbtree.
2776	- Debug output for #411 and #439: printout internal error and details.
2777
27784 March 2021: Wouter
2779	- iana portlist update.
2780	- Fix spurious errors about "Could not generate request: out of
2781	  memory".  The mesh detect cycle routine no longer wrongly stops
2782	  the check when the calling mesh state is unique.
2783
278426 February 2021: George
2785	- Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
2786
278726 February 2021: Wouter
2788	- Fix: Resolve interface names on control-interface too.
2789
279025 February 2021: Wouter
2791	- Merge PR #367 : DNSTAP log local address.  With code from PR #365
2792	  and fixes #368 : dnstap does not log the DNS message ID for
2793	  FORWARDER_QUERY.
2794	- Fix to allow rpz with wildcard that applies to all TLDs at once.
2795
279624 February 2021: George
2797	- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
2798	  log message.
2799	- ipsecmod: Better logging for detecting a cycle when attaching the
2800	  A/AAAA subquery.
2801
280224 February 2021: Wouter
2803	- On startup of unbound it checks if rlimits on memory size look
2804	  sufficient for the configured cache size, and logs warning if not.
2805	- Fix function documentation.
2806	- Fix unit test for added ulimit checks.
2807	- spelling fix in header.
2808
280923 February 2021: Wouter
2810	- Fix for zonemd, that domain-insecure zones work without dnssec.
2811	- Fix for zonemd, do not reject insecure result from trust anchor
2812	  validation step in dnssec chain of trust.
2813
281422 February 2021: Wouter
2815	- Fix #431: Squelch permission denied errors for tcp connect
2816	  and udp connect from the logs, unless at high verbosity.
2817	- Fix for zonemd, that nxdomain for the chain of trust is allowed
2818	  for island zones, it is treated as an insecure zone for verification.
2819
282018 February 2021: Wouter
2821	- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
2822	  ZONEMD records are checked for zones loaded as auth-zone,
2823	  with DNSSEC if available.  There is an added option
2824	  zonemd-permissive-mode that makes it log but not fail wrong zones.
2825	  With zonemd-reject-absence for an auth-zone the presence of a
2826	  zonemd can be mandated for specific zones.
2827	- Fix doxygen and pydoc warnings.
2828	- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
2829	- rpz skip nsec3param records, and nicer log for unsupported actions.
2830
283115 February 2021: Wouter
2832	- Fix #422: IPv6 fallback issues when IPv6 is not properly
2833	  enabled/configured.
2834	- Fix to make tests work with support indicators set for iterator.
2835	- Fix build on Python 3.10.
2836
283710 February 2021: Wouter
2838	- Merge PR #420 from dyunwei: DOH not responding with
2839	  "http2_query_read_done failure" logged.
2840
28419 February 2021: Wouter
2842	- Fix for Python 3.9, no longer use deprecated functions of
2843	  PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
2844	  none), PyParser_SimpleParseFile (now Py_CompileString).
2845
28464 February 2021: Wouter
2847	- release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
2848	  This became 1.13.1 release tag on 9 feb.  The main branch is set
2849	  to version 1.13.2.
2850
28512 February 2021: Wouter
2852	- branch-1.13.1 is created, with release-1.13.1rc1 tag.
2853	- Fix dynlibmod link on rhel8 for -ldl inclusion.
2854	- Fix windows dependency on libssp.dll because of default stack
2855	  protector in mingw.
2856	- Fix indentation of root anchor for use by windows install script.
2857
28581 February 2021: George
2859	- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
2860
286129 January 2021: Wouter
2862	- Fix for doxygen 1.8.20 compatibility.
2863
286428 January 2021: Wouter
2865	- Annotate that we ignore the return value of if_indextoname.
2866	- Fix to use correct type for label count in rpz routine.
2867	- Fix empty clause warning in config_file nsid parse.
2868	- Fix to use correct type for label count in ipdnametoaddr rpz routine.
2869	- Fix empty clause warning in edns pass for padding.
2870	- Fix fwd ancil test post script when not supported.
2871
287226 January 2021: George
2873	- Merge PR #408 from fobser: Prevent a few more yacc clashes.
2874	- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
2875	  original instead of a decrementing TTL ('serve-original-ttl')
2876	- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
2877	  static data.
2878	- Ignore cache blacklisting when trying to reply with expired data from
2879	  cache (#394).
2880
288126 January 2021: Wouter
2882	- Fix compile of unbound-dnstap-socket without dnstap installed.
2883
288422 January 2021: Willem
2885	- Padding of queries and responses with DNS over TLS as specified in
2886	  RFC7830 and RFC8467.
2887
288822 January 2021: George
2889	- Fix TTL of SOA record for negative answers (localzone and
2890	  authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
2891
289219 January 2021: Willem
2893	- Support for RFC5001: DNS Name Server Identifier (NSID) Option
2894	  with the nsid: option in unbound.conf
2895
289618 January 2021: Wouter
2897	- Fix #404: DNS query with small edns bufsize fail.
2898	- Fix declaration before statement and signed comparison warning in
2899	  dns64.
2900
290115 January 2021: Wouter
2902	- Merge #402 from fobser: Implement IPv4-Embedded addresses according
2903	  to RFC6052.
2904
290514 January 2021: Wouter
2906	- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
2907
290813 January 2021: Wouter
2909	- Merge #399 from xiangbao227: The lock of lruhash table should
2910	  unlocked after markdel entry.
2911	- Fix for #93: dynlibmodule link fix for Windows.
2912
291312 January 2021: Wouter
2914	- Fix #397: [Feature request] add new type always_null to local-zone
2915	  similar to always_nxdomain.
2916	- Fix so local zone types always_nodata and always_deny can be used
2917	  from the config file.
2918
29198 January 2021: Wouter
2920	- Merge PR #391 from fhriley: Add start_time to reply callbacks so
2921	  modules can compute the response time.
2922	- For #391: use struct timeval* start_time for callback information.
2923	- For #391: fix indentation.
2924	- For #391: more double casts in python start time calculation.
2925	- Add comment documentation.
2926	- Fix clang analysis warning.
2927
29286 January 2021: Wouter
2929	- Fix #379: zone loading over HTTP appears to have buffer issues.
2930	- Merge PR #395 from mptre: add missing null check.
2931	- Fix #387: client-subnet-always-forward seems to effectively bypass
2932	  any caching?
2933
29345 January 2021: Wouter
2935	- Fix #385: autoconf 2.70 impacts unbound build
2936	- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
2937	  to unbound-control.
2938
29394 January 2021: Wouter
2940	- For #376: Fix that comm point event is not double removed or double
2941	  added to event map.
2942	- iana portlist updated.
2943
294416 December 2020: George
2945	- Fix error cases when udp-connect is set and send() returns an error
2946	  (modified patch from Xin Li @delphij).
2947
294811 December 2020: Wouter
2949	- Fix #371: unbound-control timeout when Unbound is not running.
2950	- Fix to squelch permission denied and other errors from remote host,
2951	  they are logged at higher verbosity but not on low verbosity.
2952	- Merge PR #335 from fobser: Sprinkle in some static to prevent
2953	  missing prototype warnings.
2954	- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
2955	  is a GNU extension.
2956	- Fix missing prototypes in the code.
2957
29583 December 2020: Wouter
2959	- make depend.
2960	- iana portlist updated.
2961
29622 December 2020: Wouter
2963	- Fix #360: for the additionally reported TCP Fast Open makes TCP
2964	  connections fail, in that case we print a hint that this is
2965	  happening with the error in the logs.
2966	- Fix #356: deadlock when listening tcp.
2967	- Fix unbound-dnstap-socket to not use log routine from interrupt
2968	  handler and not print so frequently when invoked in sequence.
2969	- Fix on windows to ignore connection failure on UDP, unless verbose.
2970	- Fix for #283: fix stream reuse and tcp fast open.
2971	- Fix update, with write event check with streamreuse and fastopen.
2972
29731 December 2020: Wouter
2974	- Fix #358: Squelch udp connect 'no route to host' errors on low
2975	  verbosity.
2976
297730 November 2020: Wouter
2978	- Fix assertion failure on double callback when iterator loses
2979	  interest in query at head of line that then has the tcp stream
2980	  not kept for reuse.
2981	- tag for the 1.13.0rc4 release.  This also became the 1.13.0
2982	  release version on 3 dec 2020 with the streamreuse and fastopen
2983	  fix from 2 dec 2020.  The code repo continues for 1.13.1 in
2984	  development.
2985
298627 November 2020: Wouter
2987	- Fix compile warning for type cast in http2_submit_dns_response.
2988	- Fix when use free buffer to initialize rbtree for stream reuse.
2989	- Fix compile warnings for windows.
2990	- Fix compile warnings in rpz initialization.
2991	- Fix contrib/metrics.awk for FreeBSD awk compatibility.
2992	- tag for the 1.13.0rc3 release.
2993
299426 November 2020: Wouter
2995	- Fix to omit UDP receive errors from log, if verbosity low.
2996	  These happen because of udp-connect.
2997	- For #352: contrib/metrics.awk for Prometheus style metrics output.
2998	- Fix that after failed read, the readagain cannot activate.
2999	- Clear readagain upon decommission of pending tcp structure.
3000
300125 November 2020: Wouter
3002	- with udp-connect ignore connection refused with UDP timeouts.
3003	- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
3004	- Better fix for reuse tree comparison for is-tls sockets.  Where
3005	  the tree key identity is preserved after cleanup of the TLS state.
3006	- Remove debug commands from reuse tests.
3007	- Fix memory leak for edns client tag opcode config element.
3008	- Attempt fix for libevent state in tcp reuse cases after a packet
3009	  is written.
3010	- Fix readagain and writeagain callback functions for comm point
3011	  cleanup.
3012	- tag for the 1.13.0rc2 release.
3013
301424 November 2020: Wouter
3015	- Merge PR #283 : Stream reuse.  This implements upstream stream
3016	  reuse for performing several queries over the same TCP or TLS
3017	  channel.
3018	- set version of main branch to 1.13.0 for upcoming release.
3019	- iana portlist updated.
3020	- Fix one port unit test for udp-connect.
3021	- tag for the 1.13.0rc1 release.
3022	- Fix crash when TLS connection is closed prematurely, when
3023	  reuse tree comparison is not properly identical to insertion.
3024	- Fix padding of struct regional for 32bit systems.
3025
302623 November 2020: George
3027	- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
3028	  edns-client-string option.
3029
303023 November 2020: Wouter
3031	- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
3032	  address families.
3033	- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
3034	  failed to list interfaces: getifaddrs: Address family not
3035	  supported by protocol.
3036	- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
3037	- Option to toggle udp-connect, default is enabled.
3038	- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
3039	  with chown of pidfile.
3040	- Further fix for it and retvalue 0 fix for it.
3041
304212 November 2020: Wouter
3043	- Fix to connect() to UDP destinations, default turned on,
3044	  this lowers vulnerability to ICMP side channels.
3045	- Retry for interfaces with unused ports if possible.
3046
304710 November 2020: Wouter
3048	- Fix #341: fixing a possible memory leak.
3049	- Fix memory leak after fix for possible memory leak failure.
3050	- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
3051	  undeclared.
3052
305327 October 2020: Wouter
3054	- In man page note that tls-cert-bundle is read before permission
3055	  drop and chroot.
3056
305722 October 2020: Wouter
3058	- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
3059	  Python Mod.
3060	- Fix that minimal-responses does not remove addresses from a priming
3061	  query response.
3062
306321 October 2020: George
3064	- Fix #327: net/if.h check fails on some darwin versions; contribution by
3065	  Joshua Root.
3066	- Fix #320: potential memory corruption due to size miscomputation upton
3067	  custom region alloc init.
3068
306921 October 2020: Wouter
3070	- Merge PR #228 : infra-keep-probing option to probe hosts that are
3071	  down.  Add infra-keep-probing: yes option. Hosts that are down are
3072	  probed more frequently.
3073	  With the option turned on, it probes about every 120 seconds,
3074	  eventually after exponential backoff, and that keeps that way. If
3075	  traffic keeps up for the domain. It probes with one at a time, eg.
3076	  one query is allowed to probe, other queries within that 120 second
3077	  interval are turned away.
3078
307919 October 2020: George
3080	- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
3081	  unbound-control TLS certificates.
3082	- Fix for PR #324 to attach the x509v3 extensions to the client
3083	  certificate.
3084
308519 October 2020: Ralph
3086	- local-zone regional allocations outside of chunk
3087
308819 October 2020: Wouter
3089	- Fix that http settings have colon in set_option, for
3090	  http-endpoint, http-max-streams, http-query-buffer-size,
3091	  http-response-buffer-size, and http-nodelay.
3092	- Fix memory leak of https port string when reading config.
3093	- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
3094	  This adds the option http-notls-downstream: yesno to change that,
3095	  and the dohclient test code has the -n option.
3096	- Fix python documentation warning on functions.rst inplace_cb_reply.
3097	- Fix dnstap test to wait for log timer to see if queries are logged.
3098	- Log ip address when http session recv fails, eg. due to tls fail.
3099	- Fix to set the tcp handler event toggle flag back to default when
3100	  the handler structure is reused.
3101	- Clean the fix for out of order TCP processing limits on number
3102	  of queries.  It was tested to work.
3103
310416 October 2020: Wouter
3105	- Fix that the out of order TCP processing does not limit the
3106	  number of outstanding queries over a connection.
3107
310815 October 2020: George
3109	- Fix that if there are reply callbacks for the given rcode, those
3110	  are called per reply and a new message created if that was modified
3111	  by the call.
3112	- Pass the comm_reply information to the inplace_cb_reply* functions
3113	  during the mesh state and update the documentation on that.
3114
311515 October 2020: Wouter
3116	- Merge PR #326 from netblue30: DoH: implement content-length
3117	  header field
3118	- DoH content length, simplify code, remove declaration after
3119	  statement and fix cast warning.
3120
312114 October 2020: Wouter
3122	- Fix for python reply callback to see mesh state reply_list member,
3123	  it only removes it briefly for the commpoint call so that it does
3124	  not drop it and attempt to modify the reply list during reply.
3125	- Fix that if there are on reply callbacks, those are called per
3126	  reply and a new message created if that was modified by the call.
3127	- Free up auth zone parse region after use for lookup of host
3128
312913 October 2020: Wouter
3130	- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
3131	  if systemd support is build.
3132
31339 October 2020: Wouter
3134	- Fix dnstap socket and the chroot not applied properly to the dnstap
3135	  socket path.
3136	- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
3137
31388 October 2020: Wouter
3139	- Tag for 1.12.0 release.
3140	- Current repo is version 1.12.1 in development.
3141	- Fix #319: potential memory leak on config failure, in rpz config.
3142
31431 October 2020: Wouter
3144	- Current repo is version 1.12.0 for release.  Tag for 1.12.0rc1.
3145
314630 September 2020: Wouter
3147	- Fix doh tests when not compiled in.
3148	- Add dohclient test executable to gitignore.
3149	- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
3150	  alloc check debug output.
3151	- Easier kill of unbound-dnstap-socket tool in test.
3152	- Fix memory leak of edns tags at libunbound context delete.
3153	- Fix double loopexit for unbound-dnstap-socket after sigterm.
3154
315529 September 2020: Ralph
3156	- DNS Flag Day 2020: change edns-buffer-size default to 1232.
3157
315828 September 2020: Wouter
3159	- Fix unit test for dnstap changes, so that it waits for the timer.
3160
316123 September 2020: Wouter
3162	- Fix #305: dnstap logging significantly affects unbound performance
3163	  (regression in 1.11).
3164	- Fix #305: only wake up thread when threshold reached.
3165	- Fix to ifdef fptr wlist item for dnstap.
3166
316723 September 2020: Ralph
3168	- Fix edns-client-tags get_option typo
3169	- Add edns-client-tag-opcode option
3170	- Use inclusive language in configuration
3171
317221 September 2020: Ralph
3173	- Fix #304: dnstap logging not recovering after dnstap process restarts
3174
317521 September 2020: Wouter
3176	- Merge PR #311 by luismerino: Dynlibmod leak.
3177	- Error message is logged for dynlibmod malloc failures.
3178	- iana portlist updated.
3179
318018 September 2020: Wouter
3181	- Fix that prefer-ip4 and prefer-ip6 can be get and set with
3182	  unbound-control, with libunbound and the unbound-checkconf option
3183	  output function.
3184	- iana portlist updated.
3185
318615 September 2020: George
3187	- Introduce test for statistics.
3188
318915 September 2020: Wouter
3190	- Spelling fix.
3191
319211 September 2020: Wouter
3193	- Remove x file mode on ipset/ipset.c and h files.
3194
31959 September 2020: Wouter
3196	- Fix num.expired statistics output.
3197
319831 August 2020: Wouter
3199	- Merge PR #293: Add missing prototype.  Also refactor to use the new
3200	  shorthand function to clean up the code.
3201	- Refactor to use sock_strerr shorthand function.
3202	- Fix #296: systemd nss-lookup.target is reached before unbound can
3203	  successfully answer queries. Changed contrib/unbound.service.in.
3204
320527 August 2020: Wouter
3206	- Similar to NSD PR#113, implement that interface names can be used,
3207	  eg. something like interface: eth0 is resolved at server start and
3208	  uses the IP addresses for that named interface.
3209	- Review fix, doxygen and assign null in case of error free.
3210
321126 August 2020: George
3212	- Update documentation in python example code.
3213
321424 August 2020: Wouter
3215	- Fix that dnstap reconnects do not spam the log with the repeated
3216	  attempts.  Attempts on the timer are only logged on high verbosity,
3217	  if they produce a connection failure error.
3218	- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
3219	- Change configure to use EVP_sha256 instead of HMAC_Update for
3220	  openssl-3.0.0.
3221
322220 August 2020: Ralph
3223	- Fix stats double count issue (#289).
3224
322513 August 2020: Ralph
3226	- Create and init edns tags data for libunbound.
3227
322810 August 2020: Ralph
3229	- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
3230	  by Vítězslav Čížek.
3231
323210 August 2020: Wouter
3233	- Fix #287: doc typo: "Additionaly".
3234	- Rerun autoconf
3235
32366 August 2020: Wouter
3237	- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
3238	  The DLV has been decommissioned and in unbound 1.5.4, in 2015, there
3239	  was advise to stop using it.  The current code base does not contain
3240	  DLV code any more.  The use of dlv options displays a warning.
3241
32425 August 2020: Wouter
3243	- contrib/aaaa-filter-iterator.patch file renewed diff content to
3244	  apply cleanly to the current coderepo for the current code version.
3245
32465 August 2020: Ralph
3247	- Merge PR #272: Add EDNS client tag functionality.
3248
32494 August 2020: George
3250	- Improve error log message when inserting rpz RR.
3251	- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
3252	  definedness, by Felipe Gasper.
3253
32544 August 2020: Wouter
3255	- Fix mini_event.h on OpenBSD cannot find fd_set.
3256
325731 July 2020: Wouter
3258	- Fix doxygen comment for no ssl for tls session ticket key callback
3259	  routine.
3260
326127 July 2020: George
3262	- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
3263	  March 2020, by and0x000.
3264
326527 July 2020: Ralph
3266	- Merge PR #269, Fix python module len() implementations, by Torbjörn
3267	  Lönnemark
3268
326927 July 2020: Wouter
3270	- branch now named 1.11.1.  1.11.0rc1 became the 1.11.0 release.
3271	- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
3272
327320 July 2020: Wouter
3274	- Fix streamtcp to print packet data to stdout.  This makes the
3275	  stdout and stderr not mix together lines, when parsing its output.
3276	- Fix contrib/fastrpz.patch to apply cleanly.  It fixes for changes
3277	  due to added libdynmod, but it does not compile, it conflicts with
3278	  new rpz code.
3279	- branch now named 1.11.0 and 1.11.0rc1 tag.
3280
328117 July 2020: Wouter
3282	- Fix libnettle compile for session ticket key callback function
3283	  changes.
3284	- Fix lock dependency cycle in rpz zone config setup.
3285
328617 July 2020: Ralph
3287	- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
3288	  Courrèges-Anglas.
3289	- Fix PR #234 log_assert sizeof to use union buffer.
3290
329116 July 2020: Wouter
3292	- Fix check conf test for referencing installation paths.
3293	- Fix unused variable warning for clang analyzer.
3294
329516 July 2020: George
3296	- Introduce 'include-toplevel:' configuration option.
3297
329816 July 2020: Ralph
3299	- Add bidirectional frame streams support.
3300
33018 July 2020: Wouter
3302	- Fix add missing DSA header, for compilation without deprecated
3303	  OpenSSL APIs.
3304	- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
3305	  3.0.0-alpha4.
3306	- Longer keys for the test set, this avoids weak crypto errors.
3307
33087 July 2020: Wouter
3309	- Fix #259: Fix unbound-checkconf does not check view existence.
3310	  unbound-checkconf checks access-control-view, access-control-tags,
3311	  access-control-tag-actions and access-control-tag-datas.
3312	- Fix offset of error printout for access-control-tag-datas.
3313	- Review fixes for checkconf #259 change.
3314
33156 July 2020: Wouter
3316	- run_vm cleanup better and removes trailing slash on single argument.
3317
331829 June 2020: Wouter
3319	- Move reply list clean for serve expired mesh callback to after
3320	  the reply is sent, so that script callbacks have reply_info.
3321	- Also move reply list clean for mesh callbacks to the scrip callback
3322	  can see the reply_info.
3323	- Fix for mesh accounting if the reply list already empty to begin
3324	  with.
3325	- Fix for mesh accounting when rpz decides to drop a reply with a
3326	  tcp stream waiting for it.
3327	- Review fix for number of detached states due to use of variable
3328	  after end of loop.
3329	- Fix tcp req info drop due to size call into mesh accounting
3330	  removal of mesh state during mesh send reply.
3331
333224 June 2020: Wouter
3333	- iana portlist updated.
3334	- doxygen file comments for dynlibmodule.
3335
333617 June 2020: Wouter
3337	- Fix default explanation in man page for qname-minimisation-strict.
3338	- Fix display of event loop method with libev.
3339
33408 June 2020: Wouter
3341	- Mention tls name possible when tls is enabled for stub-addr in the
3342	  man page.
3343
334427 May 2020: George
3345	- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
3346	  "Requires:".
3347
334825 May 2020: George
3349	- Update contrib/aaaa-filter-iterator.patch for the recent
3350	  generate_sub_request() change and to apply cleanly.
3351
335221 May 2020: George
3353	- Fix for integer overflow when printing RDF_TYPE_TIME.
3354
335519 May 2020: Wouter
3356	- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
3357	  query into a large number of queries directed to a target.
3358	- CVE-2020-12663 Malformed answers from upstream name servers can be
3359	  used to make Unbound unresponsive.
3360	- Release 1.10.1 is 1.10.0 with fixes, code repository continues,
3361	  including those fixes, towards the next release.  Configure has
3362	  version 1.10.2 version number in it.
3363	- For PR #93: windows compile warnings removal
3364	- windows compile warnings removal for ip dscp option code.
3365	- For PR #93: unit test for dynlib module.
3366
336718 May 2020: Wouter
3368	- For PR #93: dynlibmod can handle reloads and deinit and inits again,
3369	  with dlclose and dlopen of the library again.  Also for multiple
3370	  modules.  Fix memory leak by not closing dlopened content.  Fix
3371	  to allow one dynlibmod instance by unbound-checkconf.
3372	- For PR #93: checkconf allows multiple dynlib in module-config, for
3373	  a couple cases.
3374	- For PR #93: checkconf allows python dynlib in module-config, for
3375	  a couple cases.
3376	- For PR #93: man page spelling reference fix.
3377	- For PR #93: fix link of other executables for dynlibmod dependency.
3378
337915 May 2020: Wouter
3380	- Merge PR #93: Add dynamic library support.
3381	- Fixed conflicts for PR #93 and make configure, yacc, lex.
3382	- For PR #93: Fix warnings for dynlibmodule.
3383
338415 May 2020: Ralph
3385	- Cache ECS answers with longest scope of CNAME chain.
3386
338722 April 2020: George
3388	- Explicitly use 'rrset-roundrobin: no' for test cases.
3389
339021 April 2020: Wouter
3391	- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
3392	  KSK-2010 from the default list in unbound-anchor, now that the
3393	  revocation period is over.  KSK-2017 is the only trust anchor in
3394	  the shipped default now.
3395
339621 April 2020: George
3397	- Change default value for 'rrset-roundrobin' to yes.
3398	- Fix tests for new rrset-roundrobin default.
3399
340020 April 2020: Wouter
3401	- Fix #222: --enable-rpath, fails to rpath python lib.
3402	- Fix for count of reply states in the mesh.
3403	- Remove unneeded was_mesh_reply check.
3404
340517 April 2020: George
3406	- Add SNI support on more TLS connections (fixes #193).
3407	- Add SNI support to unbound-anchor.
3408
340916 April 2020: George
3410	- Add doxygen documentation for DSCP.
3411
341216 April 2020: Wouter
3413	- Fix help return code in unbound-control-setup script.
3414	- Fix for posix shell syntax for trap in nsd-control-setup.
3415	- Fix for posix shell syntax for trap in run_msg.sh test script.
3416
341715 April 2020: George
3418	- Fix #220: auth-zone section in config may lead to segfault.
3419
34207 April 2020: Wouter
3421	- Merge PR #214 from gearnode: unbound-control-setup recreate
3422	  certificates.  With the -r option the certificates are created
3423	  again, without it, only the files that do not exist are created.
3424
34256 April 2020: Ralph
3426	- Keep track of number of timeouts. Use this counter to determine if
3427	  capsforid fallback should be started.
3428
34296 April 2020: George
3430	- More documentation for redis-expire-records option.
3431
34321 April 2020: George
3433	- Merge PR #206: Redis TTL, by Talkabout.
3434
343530 March 2020: Wouter
3436	- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
3437	- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
3438	  transports.
3439
344027 March 2020: Wouter
3441	- Merge PR #203 from noloader: Update README-Travis.md with current
3442	  procedures.
3443
344427 March 2020: Ralph
3445	- Make unbound-control error returned on missing domain name more user
3446	  friendly.
3447
344826 March 2020: Ralph
3449	- Fix RPZ concurrency issue when using auth_zone_reload.
3450
345125 March 2020: George
3452	- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
3453	- Fix on #201.
3454
345524 March 2020: Wouter
3456	- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
3457	  tag for outgoing packets.
3458	- Fixes on #200.
3459	- Travis fix for ios by omitting tools from install.
3460
346123 March 2020: Wouter
3462	- Fix compile on Solaris for unbound-checkconf.
3463
346420 March 2020: George
3465	- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
3466	  only used in this file.
3467
346820 March 2020: Wouter
3469	- Merge PR #197 from fobser: Make log_ident_revert_to_default() a
3470	  proper prototype.
3471
347219 March 2020: Ralph
3473	- Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
3474	- Fix #158: open tls-session-ticket-keys as binary, for Windows. By
3475	  Daisuke HIGASHI.
3476	- Merge PR#134, Allow the kernel to provide random source ports. By
3477	  Florian Obser.
3478	- Log warning when using outgoing-port-permit and outgoing-port-avoid
3479	  while explicit port randomisation is disabled.
3480	- Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
3481	- Fix .travis.yml error, missing 'env' option.
3482
348316 March 2020: Wouter
3484	- Fix #192: In the unbound-checkconf tool, the module config of
3485	  dns64 subnetcache respip validator iterator is whitelisted, it was
3486	  reported it seems to work.
3487
348812 March 2020: Wouter
3489	- Fix compile of test tools without protobuf.
3490
349111 March 2020: Ralph
3492	- Add check to make sure RPZ records are subdomains of configured
3493	  zone origin.
3494
349511 March 2020: George
3496	- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
3497	  type, by noloader.
3498	- Changelog entry for (Fix #189, Merge PR #190).
3499
350011 March 2020: Wouter
3501	- Fix #188: unbound-control.c:882:6: error: 'execlp' is
3502	  unavailable: not available on tvOS.
3503
35046 March 2020: George
3505	- Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
3506	  noloader
3507
35085 March 2020: Wouter
3509	- Fix PR #182 from noloader: Add iOS testing to Travis.
3510
35114 March 2020: Ralph
3512	- Update README-Travis.md (from PR #179), by Jeffrey Walton.
3513
35144 March 2020: George
3515	- Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
3516
35174 March 2020: Wouter
3518	- Merge PR #180 from noloader: Avoid calling exit in Travis script.
3519
35203 March 2020: George
3521	- Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
3522
35232 March 2020: Ralph
3524	- Fix #175, Merge PR #176: fix link error when OpenSSL is configured
3525 	  with no-engine, thanks noloader.
3526
35272 March 2020: George
3528	- Fix compiler warning in dns64/dns64.c
3529	- Merge PR #174: Add Android to Travis testing, by noloader.
3530	- Move android build scripts to contrib/ and allow android tests to fail.
3531
35322 March 2020: Wouter
3533	- Fix #177: dnstap does not build on macOS.
3534
353528 February 2020: Ralph
3536	- Merge PR #172: Add IBM s390x arch for testing, by noloader.
3537
353828 February 2020: Wouter
3539	- Merge PR #173: updated makedist.sh for config.guess and
3540	  config.sub and sha256 digest for gpg, by noloader.
3541	- Merge PR #164: Framestreams, this branch implements dnstap
3542	  unidirectional connectivity in unbound. This has a number of
3543	  new features.
3544
3545	  The dependency on libfstrm is removed. The fstrm protocol code
3546	  resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
3547	  contains a brief definition of what unbound needs.
3548
3549	  The make unbound-dnstap-socket builds a debug tool,
3550	  unbound-dnstap-socket. It can listen, accept multiple DNSTAP
3551	  streams and print information. Commandline options control it.
3552
3553	  Unbound can reconnect if the unix domain socket file socket is
3554	  closed. This uses exponential backoff after which it uses a
3555	  one second timer to throttle cpu down. There is also support
3556	  to use TCP and TLS for connecting to the log server. There
3557	  are new config options to turn them on, in the dnstap section
3558	  in the man page and example config file. dnstap-ip with IP
3559	  address of server for TCP or TLS use. dnstap-tls to turn
3560	  on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
3561	  dnstap-tls-client-key-file and dnstap-tls-client-cert-file
3562	  to configure the certificates for server authentication and
3563	  client authentication, or leave at "" to not use that.
3564
356527 February 2020: George
3566	- Merge PR #171: Add additional compilers and platforms to Travis
3567	  testing, by noloader.
3568
356927 February 2020: Wouter
3570	- Fix #169: Fix warning for daemon/remote.c output may be truncated
3571	  from snprintf.
3572	- Fix #170: Fix gcc undefined sanitizer signed integer overflow
3573	  warning in signature expiry RFC1982 serial number arithmetic.
3574	- Fix more undefined sanitizer issues, in respip copy_rrset null
3575	  dname, and in the client_info_compare routine for null memcmp.
3576
357726 February 2020: Wouter
3578	- iana portlist updated.
3579
358025 February 2020: Wouter
3581	- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
3582	  using ipv4 filters, because the hosts ip6 netblock /64 is not owned
3583	  by one operator, and thus reputation is shared.
3584
358524 February 2020: George
3586	- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
3587
358820 February 2020: Wouter
3589	- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
3590	  Unbound from Yuri Voinov.
3591	- master branch has 1.10.1 version.
3592
359318 February 2020: Wouter
3594	- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
3595	  different openssl versions.
3596
359717 February 2020: Wouter
3598	- changelog point where the tag for 1.10.0rc2 release is.  And with
3599	  the unbound_smf23 commit added to it, that is the 1.10.0 release.
3600
360117 February 2020: Ralph
3602	- Add respip to supported module-config options in unbound-checkconf.
3603
360417 February 2020: George
3605	- Remove unused variable.
3606
360717 February 2020: Wouter
3608	- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
3609	  in RPZ-Format, contributed by Andreas Schulze.
3610
361114 February 2020: Wouter
3612	- Fix spelling in unbound.conf.5.in.
3613	- Stop unbound-checkconf from insisting that auth-zone and rpz
3614	  zonefiles have to exist.  They can not exist, and download later.
3615
361613 February 2020: Wouter
3617	- tag for 1.10.0rc1 release.
3618
361912 February 2020: Wouter
3620	- Fix with libnettle make test with dsa disabled.
3621	- Fix contrib/fastrpz.patch to apply cleanly.  Fix for serve-stale
3622	  fixes, but it does not compile, conflicts with new rpz code.
3623	- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
3624	- Fix compile warning when threads disabled.
3625	- updated version number to 1.10.0.
3626
362710 February 2020: George
3628	- Document 'ub_result.was_ratelimited' in libunbound.
3629	- Fix use after free on log-identity after a reload; Fixes #163.
3630
36316 February 2020: George
3632	- Fix num_reply_states and num_detached_states counting with
3633	  serve_expired_callback.
3634	- Cleaner code in mesh_serve_expired_lookup.
3635	- Document in unbound.conf manpage that configuration clauses can be
3636	  repeated in the configuration file.
3637
36386 February 2020: Wouter
3639	- Fix num_reply_addr counting in mesh and tcp drop due to size
3640	  after serve_stale commit.
3641	- Fix to create and destroy rpz_lock in auth_zones structure.
3642	- Fix to lock zone before adding rpz qname trigger.
3643	- Fix to lock and release once in mesh_serve_expired_lookup.
3644	- Fix to put braces around empty if body when threading is disabled.
3645
36465 February 2020: George
3647	- Added serve-stale functionality as described in
3648	  draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
3649	  to configure the behavior.
3650	- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
3651	- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
3652	  come with a configurable TTL value (`serve-expired-reply-ttl`).
3653	- Fixed stats when replying with cached, cname-aliased records.
3654	- Added missing default values for redis cachedb backend.
3655
36563 February 2020: Ralph
3657	- Add assertion to please static analyzer
3658
365931 January 2020: Wouter
3660	- Fix fclose on error in TLS session ticket code.
3661
366230 January 2020: Ralph
3663	- Fix memory leak in error condition remote.c
3664	- Fix double free in error condition view.c
3665	- Fix memory leak in do_auth_zone_transfer on success
3666	- Merge RPZ support into master. Only QNAME and Response IP triggers are
3667	  supported.
3668	- Stop working on socket when socket() call returns an error.
3669	- Check malloc return values in TLS session ticket code
3670
367130 January 2020: Wouter
3672	- Fix subnet tests for disabled DSA algorithm by default.
3673	- Update contrib/fastrpz.patch for clean diff with current code.
3674	- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
3675	  and Frzk.  Updates the unbound.service systemd file and adds
3676	  a portable systemd service file.
3677	- updated .gitignore for added contrib file.
3678	- Add build rule for ipset to Makefile
3679	- Add getentropy_freebsd.o to Makefile dependencies.
3680
368129 January 2020: Ralph
3682	- Merge PR#156 from Alexander Berkes; Added unbound-control
3683	  view_local_datas_remove command.
3684
368529 January 2020: Wouter
3686	- Fix #157: undefined reference to `htobe64'.
3687
368828 January 2020: Ralph
3689	- Merge PR#147; change rfc reference for reserved top level dns names.
3690
369128 January 2020: Wouter
3692	- iana portlist updated.
3693	- Fix to silence the tls handshake errors for broken pipe and reset
3694	  by peer, unless verbosity is set to 2 or higher.
3695
369627 January 2020: Ralph
3697	- Merge PR#154; Allow use of libbsd functions with configure option
3698	  --with-libbsd. By Robert Edmonds and Steven Chamberlain.
3699	- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
3700
370127 January 2020: Wouter
3702	- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
3703	  to Libs/Requires for crypto library dependencies.
3704	- Fix #153: Disable validation for DSA algorithms.  RFC 8624
3705	  compliance.
3706
370723 January 2020: Wouter
3708	- Merge PR#150 from Frzk: Systemd unit without chroot.  It add
3709	  contrib/unbound_nochroot.service.in, a systemd file for use with
3710	  chroot: "", see comments in the file, it uses systemd protections
3711	  instead.
3712
371314 January 2020: Wouter
3714	- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
3715	  because dnscrypt-proxy (2.0.36) does not support the test setup
3716	  any more, and also the config file format does not seem to have
3717	  the appropriate keys to recreate that setup.
3718	- Fix crash after reload where a stats lookup could reference old key
3719	  cache and neg cache structures.
3720	- Fix for memory leak when edns subnet config options are read when
3721	  compiled without edns subnet support.
3722	- Fix auth zone support for NSEC3 records without salt.
3723
372410 January 2020: Wouter
3725	- Fix the relationship between serve-expired and prefetch options,
3726	  patch from Saksham Manchanda from Secure64.
3727	- Fix unreachable code in ssl set options code.
3728
37298 January 2020: Ralph
3730	- Fix #138: stop binding pidfile inside chroot dir in systemd service
3731	  file.
3732
37338 January 2020: Wouter
3734	- Fix 'make test' to work for --disable-sha1 configure option.
3735	- Fix out-of-bounds null-byte write in sldns_bget_token_par while
3736	  parsing type WKS, reported by Luis Merino from X41 D-Sec.
3737	- Updated sldns_bget_token_par fix for also space for the zero
3738	  delimiter after the character.  And update for more spare space.
3739
37406 January 2020: George
3741	- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
3742	  The dl_iterate_phdr() function introduced in newer versions raises
3743	  compilation errors on solaris 10.
3744	- Changes to compat/getentropy_solaris.c for,
3745	  ifdef stdint.h inclusion for older systems.
3746	  ifdef sha2.h inclusion for older systems.
3747
37486 January 2020: Wouter
3749	- Merge #135 from Florian Obser: Use passed in neg and key cache
3750	  if non-NULL.
3751	- Fix #140: Document slave not downloading new zonefile upon update.
3752
375316 December 2019: George
3754	- Update mailing list URL.
3755
375612 December 2019: Ralph
3757	- Master is 1.9.7 in development.
3758	- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
3759	  Florian Obser
3760
376110 December 2019: Wouter
3762	- Fix to make auth zone IXFR to fallback to AXFR if a single
3763	  response RR is received over TCP with the SOA in it.
3764
37656 December 2019: Wouter
3766	- Fix ipsecmod compile.
3767	- Fix Makefile.in for ipset module compile, from Adi Prasaja.
3768	- release-1.9.6 tag, which became the 1.9.6 release
3769
37705 December 2019: Wouter
3771	- unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
3772	  replacements for unbound-fuzzme.c that gets created after applying
3773	  the contrib/unbound-fuzzme.patch.  They are contributed by
3774	  Eric Sesterhenn from X41 D-Sec.
3775	- tag for 1.9.6rc1.
3776
37774 December 2019: Wouter
3778	- Fix lock type for memory purify log lock deletion.
3779	- Fix testbound for alloccheck runs, memory purify and lock checks.
3780	- update contrib/fastrpz.patch to apply more cleanly.
3781	- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
3782	  reported by X41 D-Sec.
3783
37843 December 2019: Wouter
3785	- Merge pull request #124 from rmetrich: Changed log lock
3786	  from 'quick' to 'basic' because this is an I/O lock.
3787	- Fix text around serial arithmetic used for RRSIG times to refer
3788	  to correct RFC number.
3789	- Fix Assert Causing DoS in synth_cname(),
3790	  reported by X41 D-Sec.
3791	- Fix similar code in auth_zone synth cname to add the extra checks.
3792	- Fix Assert Causing DoS in dname_pkt_copy(),
3793	  reported by X41 D-Sec.
3794	- Fix OOB Read in sldns_wire2str_dname_scan(),
3795	  reported by X41 D-Sec.
3796	- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
3797	  reported by X41 D-Sec.
3798	- Fix Out of Bounds Write in sldns_b64_pton(),
3799	  fixed by check in sldns_str2wire_int16_data_buf(),
3800	  reported by X41 D-Sec.
3801	- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
3802	  reported by X41 D-Sec.
3803	- Fix Out of Bound Write Compressed Names in rdata_copy(),
3804	  reported by X41 D-Sec.
3805	- Fix Hang in sldns_wire2str_pkt_scan(),
3806	  reported by X41 D-Sec.
3807	  This further lowers the max to 256.
3808	- Fix snprintf() supports the n-specifier,
3809	  reported by X41 D-Sec.
3810	- Fix Bad Indentation, in dnscrypt.c,
3811	  reported by X41 D-Sec.
3812	- Fix Client NONCE Generation used for Server NONCE,
3813	  reported by X41 D-Sec.
3814	- Fix compile error in dnscrypt.
3815	- Fix _vfixed not Used, removed from sbuffer code,
3816	  reported by X41 D-Sec.
3817	- Fix Hardcoded Constant, reported by X41 D-Sec.
3818	- make depend
3819
38202 December 2019: Wouter
3821	- Merge pull request #122 from he32: In tcp_callback_writer(),
3822	  don't disable time-out when changing to read.
3823
382422 November 2019: George
3825	- Fix compiler warnings.
3826
382722 November 2019: Wouter
3828	- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
3829	- Add make distclean that removes everything configure produced,
3830	  and make maintainer-clean that removes bison and flex output.
3831
383220 November 2019: Wouter
3833	- Fix Out of Bounds Read in rrinternal_get_owner(),
3834	  reported by X41 D-Sec.
3835	- Fix Race Condition in autr_tp_create(),
3836	  reported by X41 D-Sec.
3837	- Fix Shared Memory World Writeable,
3838	  reported by X41 D-Sec.
3839	- Adjust unbound-control to make stats_shm a read only operation.
3840	- Fix Weak Entropy Used For Nettle,
3841	  reported by X41 D-Sec.
3842	- Fix Randomness Error not Handled Properly,
3843	  reported by X41 D-Sec.
3844	- Fix Out-of-Bounds Read in dname_valid(),
3845	  reported by X41 D-Sec.
3846	- Fix Config Injection in create_unbound_ad_servers.sh,
3847	  reported by X41 D-Sec.
3848	- Fix Local Memory Leak in cachedb_init(),
3849	  reported by X41 D-Sec.
3850	- Fix Integer Underflow in Regional Allocator,
3851	  reported by X41 D-Sec.
3852	- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
3853	- Synchronize compat/getentropy_win.c with version 1.5 from
3854	  OpenBSD, no changes but makes the file, comments, identical.
3855	- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
3856	- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
3857	- Changes to compat/getentropy files for,
3858	  no link to openssl if using nettle, and hence config.h for
3859	  HAVE_NETTLE variable.
3860	  compat definition of MAP_ANON, for older systems.
3861	  ifdef stdint.h inclusion for older systems.
3862	  ifdef sha2.h inclusion for older systems.
3863	- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
3864	- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
3865	- Fix Terminating Quotes not Written, reported by X41 D-Sec.
3866	- Fix Useless memset() in validator, reported by X41 D-Sec.
3867	- Fix Unrequired Checks, reported by X41 D-Sec.
3868	- Fix Enum Name not Used, reported by X41 D-Sec.
3869	- Fix NULL Pointer Dereference via Control Port,
3870	  reported by X41 D-Sec.
3871	- Fix Bad Randomness in Seed, reported by X41 D-Sec.
3872	- Fix python examples/calc.py for eval, reported by X41 D-Sec.
3873	- Fix comments for doxygen in dns64.
3874
387519 November 2019: Wouter
3876	- Fix CVE-2019-18934, shell execution in ipsecmod.
3877	- 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
3878	- Fix authzone printout buffer length check.
3879	- Fixes to please lint checks.
3880	- Fix Integer Overflow in Regional Allocator,
3881	  reported by X41 D-Sec.
3882	- Fix Unchecked NULL Pointer in dns64_inform_super()
3883	  and ipsecmod_new(), reported by X41 D-Sec.
3884	- Fix Out-of-bounds Read in rr_comment_dnskey(),
3885	  reported by X41 D-Sec.
3886	- Fix Integer Overflows in Size Calculations,
3887	  reported by X41 D-Sec.
3888	- Fix Integer Overflow to Buffer Overflow in
3889	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
3890	- Fix Out of Bounds Read in sldns_str2wire_dname(),
3891	  reported by X41 D-Sec.
3892	- Fix Out of Bounds Write in sldns_bget_token_par(),
3893	  reported by X41 D-Sec.
3894
389518 November 2019: Wouter
3896	- In unbound-host use separate variable for get_option to please
3897	  code checkers.
3898	- update to bison output of 3.4.1 in code repository.
3899	- Provide a prototype for compat malloc to remove compile warning.
3900	- Portable grep usage for reuseport configure test.
3901	- Check return type of HMAC_Init_ex for openssl 0.9.8.
3902	- gitignore .source tempfile used for compatible make.
3903
390413 November 2019: Wouter
3905	- iana portlist updated.
3906	- contrib/fastrpz.patch updated to apply for current code.
3907	- fixes for splint cleanliness, long vs int in SSL set_mode.
3908
390911 November 2019: Wouter
3910	- Fix #109: check number of arguments for stdin-pipes in
3911	  unbound-control and fail if too many arguments.
3912	- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
3913
391424 October 2019: Wouter
3915	- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
3916
391723 October 2019: George
3918	- Add new configure option `--enable-fully-static` to enable full static
3919	  build if requested; in relation to #91.
3920
392123 October 2019: Wouter
3922	- Merge #97: manpage: Add missing word on unbound.conf,
3923	  from Erethon.
3924
392522 October 2019: Wouter
3926	- drop-tld.diff: adds option drop-tld: yesno that drops 2 label
3927	  queries, to stop random floods.  Apply with
3928	  patch -p1 < contrib/drop-tld.diff and compile.
3929	  From Saksham Manchanda (Secure64).  Please note that we think this
3930	  will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
3931	  lookups for downstream clients.
3932
39337 October 2019: Wouter
3934	- Add doxygen comments to unbound-anchor source address code, in #86.
3935
39363 October 2019: Wouter
3937	- Merge #90 from vcunat: fix build with nettle-3.5.
3938	- Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
3939	- Continue with development of 1.9.5.
3940	- Merge #86 from psquarejho: Added -b source address option to
3941	  smallapp/unbound-anchor.c, from Lukas Wunner.
3942
394326 September 2019: Wouter
3944	- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
3945	  Drop CAP_KILL, use + prefix for ExecReload= instead.
3946
394725 September 2019: Wouter
3948	- The unbound.conf includes are sorted ascending, for include
3949	  statements with a '*' from glob.
3950
395123 September 2019: Wouter
3952	- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
3953	  service file to fix that systemctl reload fails.
3954
395520 September 2019: Wouter
3956	- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
3957	  in unbound.service.
3958	- Merge #81 from Maryse47: Consistently use /dev/urandom instead
3959	  of /dev/random in scripts and docs.
3960	- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
3961	  into the background.
3962
396319 September 2019: Wouter
3964	- Fix #78: Memory leak in outside_network.c.
3965	- Merge pull request #76 from Maryse47: Improvements and fixes for
3966	  systemd unbound.service.
3967	- oss-fuzz badge on README.md.
3968	- Fix fix for #78 to also free service callback struct.
3969	- Fix for oss-fuzz build warning.
3970	- Fix wrong response ttl for prepended short CNAME ttls, this would
3971	  create a wrong zero_ttl response count with serve-expired enabled.
3972	- Merge #80 from stasic: Improve wording in man page.
3973
397411 September 2019: Wouter
3975	- Use explicit bzero for wiping clear buffer of hash in cachedb,
3976	  reported by Eric Sesterhenn from X41 D-Sec.
3977
39789 September 2019: Wouter
3979	- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
3980	  LOG_DAEMON (as before) can set the syslog facility that the server
3981	  uses to log messages.
3982
39834 September 2019: Wouter
3984	- Fix #71: fix openssl error squelch commit compilation error.
3985
39863 September 2019: Wouter
3987	- squelch DNS over TLS errors 'ssl handshake failed crypto error'
3988	  on low verbosity, they show on verbosity 3 (query details), because
3989	  there is a high volume and the operator cannot do anything for the
3990	  remote failure.  Specifically filters the high volume errors.
3991
39922 September 2019: Wouter
3993	- ipset module #28: log that an address is added, when verbosity high.
3994	- ipset: refactor long routine into three smaller ones.
3995	- updated Makefile dependencies.
3996
399723 August 2019: Wouter
3998	- Fix contrib/fastrpz.patch asprintf return value checks.
3999
400022 August 2019: Wouter
4001	- Fix that pkg-config is setup before --enable-systemd needs it.
4002	- 1.9.3rc2 release candidate tag.  And this became the 1.9.3 release.
4003	  Master is 1.9.4 in development.
4004
400521 August 2019: Wouter
4006	- Fix log_dns_msg to log irrespective of minimal responses config.
4007
400819 August 2019: Ralph
4009	- Document limitation of pidfile removal outside of chroot directory.
4010
401116 August 2019: Wouter
4012	- Fix unittest valgrind false positive uninitialised value report,
4013	  where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
4014	  issues an uninitialised value for the token buffer at the str2wire.c
4015	  rrinternal_get_owner() strcmp with the '@' value.  Rewritten to use
4016	  straight character comparisons removes the false positive.  Also
4017	  valgrinds --expensive-definedness-checks=yes can stop this false
4018	  positive.
4019	- Please doxygen's parser for "@" occurrence in doxygen comment.
4020	- Fixup contrib/fastrpz.patch
4021	- Remove warning about unknown cast-function-type warning pragma.
4022
402315 August 2019: Wouter
4024	- iana portlist updated.
4025	- Fix autotrust temp file uniqueness windows compile.
4026	- avoid warning about upcast on 32bit systems for autotrust.
4027	- escape commandline contents for -V.
4028	- Fix character buffer size in ub_ctx_hosts.
4029	- 1.9.3rc1 release candidate tag.
4030	- Option -V prints if TCP fastopen is available.
4031
403214 August 2019: George
4033	- Fix #59, when compiled with systemd support check that we can properly
4034	  communicate with systemd through the `NOTIFY_SOCKET`.
4035
403614 August 2019: Wouter
4037	- Generate configlexer with newer flex.
4038	- Fix warning for unused variable for compilation without systemd.
4039
404012 August 2019: George
4041	- Introduce `-V` option to print the version number and build options.
4042	  Previously reported build options like linked libs and linked modules
4043	  are now moved from `-h` to `-V` as well for consistency.
4044	- PACKAGE_BUGREPORT now also includes link to GitHub issues.
4045
40461 August 2019: Wouter
4047	- For #52 #53, second context does not close logfile override.
4048	- Fix #52 #53, fix for example fail program.
4049	- Fix to return after failed auth zone http chunk write.
4050	- Fix to remove unused test for task_probe existence.
4051	- Fix to timeval_add for remaining second in microseconds.
4052	- Check repinfo in worker_handle_request, if null, drop it.
4053
405429 July 2019: Wouter
4055	- Add verbose log message when auth zone file is written, at level 4.
4056	- Add hex print of trust anchor pointer to trust anchor file temp
4057	  name to make it unique, for libunbound created multiple contexts.
4058
405923 July 2019: Wouter
4060	- Fix question section mismatch in local zone redirect.
4061
406219 July 2019: Wouter
4063	- Fix #49: Set no renegotiation on the SSL context to stop client
4064	  session renegotiation.
4065
406612 July 2019: Wouter
4067	- Fix #48: Unbound returns additional records on NODATA response,
4068	  if minimal-responses is enabled, also the additional for negative
4069	  responses is removed.
4070
40719 July 2019: Ralph
4072	- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
4073	  call made it impossible to go up the tree when the matching netmask is
4074	  too specific.
4075
40765 July 2019: Ralph
4077	- Fix for possible assertion failure when answering respip CNAME from
4078	  cache.
4079
408025 June 2019: Wouter
4081	- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
4082	  when do-not-query-localhost is turned on, or at default on,
4083	  unbound-checkconf prints a warning if it is found in forward-addr or
4084	  stub-addr statements.
4085
408624 June 2019: Wouter
4087	- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
4088
408918 June 2019: Wouter
4090	- PR #28: IPSet module, by Kevin Chou.  Created a module to support
4091	  the ipset that could add the domain's ip to a list easily.
4092	  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
4093	- Fix to omit RRSIGs from addition to the ipset.
4094	- Fix to make unbound-control with ipset, remove unused variable,
4095	  use unsigned type because of comparison, and assign null instead
4096	  of compare with it.  Remade lex and yacc output.
4097	- make depend
4098	- Added documentation to the ipset files (for doxygen output).
4099	- Merge PR #6: Python module: support multiple instances
4100	- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
4101	- Merge PR #4: Python module: assign something useful to the
4102	  per-query data store 'qdata'
4103	- Fix python dict reference and double free in config.
4104
410517 June 2019: Wouter
4106	- Master contains version 1.9.3 in development.
4107	- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
4108	- Fix for #24: Fix abort due to scan of auth zone masters using old
4109	  address from previous scan.
4110
411112 June 2019: Wouter
4112	- Fix another spoolbuf storage code point, in prefetch.
4113	- 1.9.2rc3 release candidate tag.  Which became the 1.9.2 release
4114	  on 17 June 2019.
4115
411611 June 2019: Wouter
4117	- Fix that fixes the Fix that spoolbuf is not used to store tcp
4118	  pipelined response between mesh send and callback end, this fixes
4119	  error cases that did not use the correct spoolbuf.
4120	- 1.9.2rc2 release candidate tag.
4121
41226 June 2019: Wouter
4123	- 1.9.2rc1 release candidate tag.
4124
41254 June 2019: Wouter
4126	- iana portlist updated.
4127
412829 May 2019: Wouter
4129	- Fix to guard _OPENBSD_SOURCE from redefinition.
4130
413128 May 2019: Wouter
4132	- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
4133	- gitignore config.h.in~.
4134
413527 May 2019: Wouter
4136	- Fix double file close in tcp pipelined response code.
4137
413824 May 2019: Wouter
4139	- Fix that spoolbuf is not used to store tcp pipelined response
4140	  between mesh send and callback end.
4141
414220 May 2019: Wouter
4143	- Note that so-reuseport at extreme load is better turned off,
4144	  otherwise queries are not distributed evenly, on Linux 4.4.x.
4145
414616 May 2019: Wouter
4147	- Fix #31: swig 4.0 and python module.
4148
414913 May 2019: Wouter
4150	- Squelch log messages from tcp send about connection reset by peer.
4151	  They can be enabled with verbosity at higher values for diagnosing
4152	  network connectivity issues.
4153	- Attempt to fix malformed tcp response.
4154
41559 May 2019: Wouter
4156	- Revert fix for oss-fuzz, error is in that build script that
4157	  unconditionally includes .o files detected by configure, also
4158	  when the machine architecture uses different LIBOBJS files.
4159
41608 May 2019: Wouter
4161	- Attempt to fix build failure in oss-fuzz because of reallocarray.
4162	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
4163	  Does not omit compile flags from commandline.
4164
41657 May 2019: Wouter
4166	- Fix edns-subnet locks, in error cases the lock was not unlocked.
4167	- Fix doxygen output error on readme markdown vignettes.
4168
41696 May 2019: Wouter
4170	- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
4171	- Fix #30: AddressSanitizer finding in lookup3.c.  This sets the
4172	  hash function to use a slower but better auditable code that does
4173	  not read beyond array boundaries.  This makes code better security
4174	  checkable, and is better for security.  It is fixed to be slower,
4175	  but not read outside of the array.
4176
41772 May 2019: Wouter
4178	- contrib/fastrpz.patch updated for code changes, and with git diff.
4179	- Fix .gitignore, add pythonmod and dnstap generated files.
4180	  And unit test generated files, and generated doc files.
4181
41821 May 2019: Wouter
4183	- Update makedist for git.
4184	- Nicer travis output for clang analysis.
4185	- PR #16: XoT support, AXFR over TLS, turn it on with
4186	  master: <ip>#<authname> in unbound.conf.  This uses TLS to
4187	  download the AXFR (or IXFR).
4188
418925 April 2019: Wouter
4190	- Fix wrong query name in local zone redirect answers with a CNAME,
4191	  the copy of the local alias is in unpacked form.
4192
419318 April 2019: Ralph
4194	- Scrub RRs from answer section when reusing NXDOMAIN message for
4195	  subdomain answers.
4196	- For harden-below-nxdomain: do not consider a name to be non-exitent
4197	  when message contains a CNAME record.
4198
419918 April 2019: Wouter
4200	- travis build file.
4201
420216 April 2019: Wouter
4203	- Better braces in if statement in TCP fastopen code.
4204	- iana portlist updated.
4205
420615 April 2019: Wouter
4207	- Fix tls write event for read state change to re-call SSL_write and
4208	  not resume the TLS handshake.
4209
421011 April 2019: George
4211	- Update python documentation for init_standard().
4212	- Typos.
4213
421411 April 2019: Wouter
4215	- Fix that auth zone uses correct network type for sockets for
4216	  SOA serial probes.  This fixes that probes fail because earlier
4217	  probe addresses are unreachable.
4218	- Fix that auth zone fails over to next master for timeout in tcp.
4219	- Squelch SSL read and write connection reset by peer and broken pipe
4220	  messages.  Verbosity 2 and higher enables them.
4221
42228 April 2019: Wouter
4223	- Fix to use event_assign with libevent for thread-safety.
4224	- verbose information about auth zone lookup process, also lookup
4225	  start, timeout and fail.
4226	- Fix #17: Add python module example from Jan Janak, that is a
4227	  plugin for the Unbound DNS resolver to resolve DNS records in
4228	  multicast DNS [RFC 6762] via Avahi.  The plugin communicates
4229	  with Avahi via DBus. The comment section at the beginning of
4230	  the file contains detailed documentation.
4231	- Fix to wipe ssl ticket keys from memory with explicit_bzero,
4232	  if available.
4233
42345 April 2019: Wouter
4235	- Fix to reinit event structure for accepted TCP (and TLS) sockets.
4236
42374 April 2019: Wouter
4238	- Fix spelling error in log output for event method.
4239
42403 April 2019: Wouter
4241	- Move goto label in answer_from_cache to the end of the function
4242	  where it is more visible.
4243	- Fix auth-zone NSEC3 response for wildcard nodata answers,
4244	  include the closest encloser in the answer.
4245
42462 April 2019: Wouter
4247	- Fix auth-zone NSEC3 response for empty nonterminals with exact
4248	  match nsec3 records.
4249	- Fix for out of bounds integers, thanks to OSTIF audit.  It is in
4250	  allocation debug code.
4251	- Fix for auth zone nsec3 ent fix for wildcard nodata.
4252
425325 March 2019: Wouter
4254	- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
4255	  disables the tls session ticker key calls into the OpenSSL API.
4256	- Fix crash if tls-servic-pem not filled in when necessary.
4257
425821 March 2019: Wouter
4259	- Fix #4240: Fix whitespace cleanup in example.conf.
4260
426119 March 2019: Wouter
4262	- add type CAA to libpyunbound (accessing libunbound from python).
4263
426418 March 2019: Wouter
4265	- Add log message, at verbosity 4, that says the query is encrypted
4266	  with TLS, if that is enabled for the query.
4267	- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
4268
42697 March 2019: Wouter
4270	- Fix for #4233: guard use of NDEBUG, so that it can be passed in
4271	  CFLAGS into configure.
4272
42735 March 2019: Wouter
4274	- Tag release 1.9.1rc1.  Which became 1.9.1 on 12 March 2019.  Trunk
4275	  has 1.9.2 in development.
4276
42771 March 2019: Wouter
4278	- output forwarder log in ssl_req_order test.
4279
428028 February 2019: Wouter
4281	- Remove memory leak on pythonmod python2 script file init.
4282	- Remove swig gcc8 python function cast warnings, they are ignored.
4283	- Print correct module that failed when module-config is wrong.
4284
428527 February 2019: Wouter
4286	- Fix #4229: Unbound man pages lack information, about access-control
4287	  order and local zone tags, and elements in views.
4288	- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
4289	  before copying.
4290	- Fix for python module on Windows, fix fopen.
4291
429225 February 2019: Wouter
4293	- Fix #4227: pair event del and add for libevent for tcp_req_info.
4294
429521 February 2019: Wouter
4296	- Fix the error for unknown module in module-config is understandable,
4297	  and explains it was not compiled in and where to see the list.
4298	- In example.conf explain where to put cachedb module in module-config.
4299	- In man page and example config explain that most modules have to
4300	  be listed at the start of module-config.
4301
430220 February 2019: Wouter
4303	- Fix pythonmod include and sockaddr_un ifdefs for compile on
4304	  Windows, and for libunbound.
4305
430618 February 2019: Wouter
4307	- Print query name with ip_ratelimit exceeded log lines.
4308	- Spaces instead of tabs in that log message.
4309	- Print query name and IP address when domain rate limit exceeded.
4310
431114 February 2019: Wouter
4312	- Fix capsforid canonical sort qsort callback.
4313
431411 February 2019: Wouter
4315	- Note default for module-config in man page.
4316	- Fix recursion lame test for qname minimisation asked queries,
4317	  that were not present in the set of prepared answers.
4318	- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
4319	  cert name matching, from man page.
4320	- make depend, with newer gcc, nicer layout.
4321
43227 February 2019: Wouter
4323	- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
4324	- Fix that qname minimisation does not skip a label when missing
4325	  nameserver targets need to be fetched.
4326	- Fix #4225: clients seem to erroneously receive no answer with
4327	  DNS-over-TLS and qname-minimisation.
4328
43294 February 2019: Wouter
4330	- Fix that log-replies prints the correct name for local-alias
4331	  names, for names that have a CNAME in local-data configuration.
4332	  It logs the original query name, not the target of the CNAME.
4333	- Add local-zone type inform_redirect, which logs like type inform,
4334	  and redirects like type redirect.
4335	- Perform canonical sort for 0x20 capsforid compare of replies,
4336	  this sorts rrsets in the authority and additional section before
4337	  comparison, so that out of order rrsets do not cause failure.
4338
433931 January 2019: Wouter
4340	- Set ub_ctx_set_tls call signature in ltrace config file for
4341	  libunbound in contrib/libunbound.so.conf.
4342	- improve documentation for tls-service-key and forward-first.
4343	- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
4344	  conditional section, fixes systemd builds, from Enrico Scholz.
4345	- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
4346	  still supports the set_id_callback previous API.  And for 1.1.0
4347	  no locking callbacks are needed.
4348	- #8: Fix OpenSSL without ENGINE support compilation.
4349	- Wipe TLS session key data from memory on exit.
4350
435130 January 2019: Ralph
4352	- Fix case in which query timeout can result in marking delegation
4353	  as edns_lame_known.
4354
435529 January 2019: Wouter
4356	- Fix spelling of tls-ciphers in example.conf.in.
4357	- Fix #4224: auth_xfr_notify.rpl test broken due to typo
4358	- Fix locking for libunbound context setup with broken port config.
4359
436028 January 2019: Wouter
4361	- ub_ctx_set_tls call for libunbound that enables DoT for the machines
4362	  set with ub_ctx_set_fwd.  Patch from Florian Obser.
4363	- Set build system for added call in the libunbound API.
4364	- List example config for root zone copy locally hosted with auth-zone
4365	  as suggested from draft-ietf-dnsop-7706-bis-02.  But with updated
4366	  B root address.
4367	- set version to 1.9.0 for release.  And this was released with the
4368	  spelling for tls-ciphers fix as 1.9.0 on Feb 5.  Trunk has 1.9.1 in
4369	  development.
4370
437125 January 2019: Wouter
4372	- Fix that tcp for auth zone and outgoing does not remove and
4373	  then gets the ssl read again applied to the deleted commpoint.
4374	- updated contrib/fastrpz.patch to cleanly diff.
4375	- no lock when threads disabled in tcp request buffer count.
4376	- remove compile warnings from libnettle compile.
4377	- output of newer lex 2.6.1 and bison 3.0.5.
4378
437924 January 2019: Wouter
4380	- Newer aclocal and libtoolize used for generating configure scripts,
4381	  aclocal 1.16.1 and libtoolize 2.4.6.
4382	- Fix unit test for python 3.7 new keyword 'async'.
4383	- clang analysis fixes, assert arc4random buffer in init,
4384	  no check for already checked delegation pointer in iterator,
4385	  in testcode check for NULL packet matches, in perf do not copy
4386	  from NULL start list when growing capacity.  Adjust host and file
4387	  only when present in test header read to please checker.  In
4388	  testcode for unknown macro operand give zero result. Initialise the
4389	  passed argv array in test code.  In test code add EDNS data
4390	  segment copy only when nonempty.
4391	- Patch from Florian Obser fixes some compiler warnings:
4392	  include mini_event.h to have a prototype for mini_ev_cmp
4393	  include edns.h to have a prototype for apply_edns_options
4394	  sldns_wire2str_edns_keepalive_print is only called in the wire2str,
4395	  module declare it static to get rid of compiler warning:
4396	  no previous prototype for function
4397	  infra_find_ip_ratedata() is only called in the infra module,
4398	  declare it static to get rid of compiler warning:
4399	  no previous prototype for function
4400	  do not shadow local variable buf in authzone
4401	  auth_chunks_delete and az_nsec3_findnode are only called in the
4402	  authzone module, declare them static to get rid of compiler warning:
4403	  no previous prototype for function...
4404	  copy_rrset() is only called in the respip module, declare it
4405	  static to get rid of compiler warning:
4406	  no previous prototype for function 'copy_rrset'
4407	  no need for another variable "r"; gets rid of compiler warning:
4408	  declaration shadows a local variable in libunbound.c
4409	  no need for another variable "ns"; gets rid of compiler warning:
4410	  declaration shadows a local variable in iterator.c
4411	- Moved includes and make depend.
4412
441323 January 2019: Wouter
4414	- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
4415	  options for unbound.conf.
4416	- Fixes for the patch, and man page entry.
4417	- Fix configure to detect SSL_CTX_set_ciphersuites, for better
4418	  library compatibility when compiling.
4419	- Patch for TLS session resumption from Manabu Sonoda,
4420	  enable with tls-session-ticket-keys in unbound.conf.
4421	- Fixes for patch (includes, declarations, warnings).  Free at end
4422	  and keep config options in order read from file to keep the first
4423	  one as the first one.
4424	- Fix for IXFR fallback to reset counter when IXFR does not timeout.
4425
442622 January 2019: Wouter
4427	- Fix space calculation for tcp req buffer size.
4428	- Doc for stream-wait-size and unit test.
4429	- unbound-control stats has mem.streamwait that counts TCP and TLS
4430	  waiting result buffers.
4431	- Fix for #4219: secondaries not updated after serial change, unbound
4432	  falls back to AXFR after IXFR gives several timeout failures.
4433	- Fix that auth zone after IXFR fallback tries the same master.
4434
443521 January 2019: Wouter
4436	- Fix tcp idle timeout test, for difference in the tcp reply code.
4437	- Unit test for tcp request reorder and timeouts.
4438	- Unit tests for ssl out of order processing.
4439	- Fix that multiple dns fragments can be carried in one TLS frame.
4440	- Add stream-wait-size: 4m config option to limit the maximum
4441	  memory used by waiting tcp and tls stream replies.  This avoids
4442	  a denial of service where these replies use up all of the memory.
4443
444417 January 2019: Wouter
4445	- For caps-for-id fallback, use the whitelist to avoid timeout
4446	  starting a fallback sequence for it.
4447	- increase mesh max activation count for capsforid long fetches.
4448
444916 January 2019: Ralph
4450	- Get ready for the DNS flag day: remove EDNS lame procedure, do not
4451	  re-query without EDNS after timeout.
4452
445315 January 2019: Wouter
4454	- In the out of order processing, reset byte count for (potential)
4455	  partial read.
4456	- Review fixes in out of order processing.
4457
445814 January 2019: Wouter
4459	- streamtcp option -a send queries consecutively and prints answers
4460	  as they arrive.
4461	- Fix for out of order processing administration quit cleanup.
4462	- unit test for tcp out of order processing.
4463
446411 January 2019: Wouter
4465	- Initial commit for out-of-order processing for TCP and TLS.
4466
44679 January 2019: Wouter
4468	- Log query name for looping module errors.
4469
44708 January 2019: Wouter
4471	- Fix syntax in comment of local alias processing.
4472	- Fix NSEC3 record that is returned in wildcard replies from
4473	  auth-zone zones with NSEC3 and wildcards.
4474
44757 January 2019: Wouter
4476	- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
4477	  and server tcp fastopen is enabled at compile time.
4478	- Document interaction between the tls-upstream option in the server
4479	  section and forward-tls-upstream option in the forward-zone sections.
4480	- Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
4481	  the patch adds a program used for fuzzing.
4482
448312 December 2018: Wouter
4484	- Fix for crash in dns64 module if response is null.
4485
448610 December 2018: Wouter
4487	- Fix config parser memory leaks.
4488	- ip-ratelimit-factor of 1 allows all traffic through, instead of the
4489	  previous blocking everything.
4490	- Fix for FreeBSD port make with dnscrypt and dnstap enabled.
4491	- Fix #4206: support openssl 1.0.2 for TLS hostname verification,
4492	  alongside the 1.1.0 and later support that is already there.
4493	- Fixup openssl 1.0.2 compile
4494
44956 December 2018: Wouter
4496	- Fix dns64 allocation in wrong region for returned internal queries.
4497
44983 December 2018: Wouter
4499	- Fix icon, no ragged edges and nicer resolutions available, for eg.
4500	  Win 7 and Windows 10 display.
4501	- cache-max-ttl also defines upperbound of initial TTL in response.
4502
450330 November 2018: Wouter
4504	- Patch for typo in unbound.conf man page.
4505	- log-tag-queryreply: yes in unbound.conf tags the log-queries and
4506	  log-replies in the log file for easier log filter maintenance.
4507
450829 November 2018: Wouter
4509	- iana portlist updated.
4510	- Fix chroot auth-zone fix to remove chroot prefix.
4511	- tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
4512	  updated.  Trunk contains 1.8.3 in development.
4513	  Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
4514	  Trunk then became 1.8.4 in development.
4515	- Fix that unbound-checkconf does not complains if the config file
4516	  is not placed inside the chroot.
4517	- Refuse to start with no ports.
4518	- Remove clang analysis warnings.
4519
452028 November 2018: Wouter
4521	- Fix leak in chroot fix for auth-zone.
4522	- Fix clang analysis for outside directory build test.
4523
452427 November 2018: Wouter
4525	- Fix DNS64 to not store intermediate results in cache, this avoids
4526	  other threads from picking up the wrong data.  The module restores
4527	  the previous no_cache_store setting when the the module is finished.
4528	- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
4529	- New and better fix for Fix #4193: Fix that prefetch failure does
4530	  not overwrite valid cache entry with SERVFAIL.
4531	- auth-zone give SERVFAIL when expired, fallback activates when
4532	  expired, and this is documented in the man page.
4533	- stat count SERVFAIL downstream auth-zone queries for expired zones.
4534	- Put new logos into windows installer.
4535	- Fix windows compile for new rrset roundrobin fix.
4536	- Update contrib fastrpz patch for latest release.
4537
453826 November 2018: Wouter
4539	- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
4540	  sorted and in a predictable order.
4541	- Fix #4193: Fix that prefetch failure does not overwrite valid cache
4542	  entry with SERVFAIL.
4543	- Add unbound-control view_local_datas command, like local_datas.
4544	- Fix that unbound-control can send file for view_local_datas.
4545
454622 November 2018: Wouter
4547	- With ./configure --with-pyunbound --with-pythonmodule
4548	  PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
4549	  succeed for the python module.
4550	- pythonmod logs the python error and traceback on failure.
4551	- ignore debug python module for test in doxygen output.
4552	- review fixes for python module.
4553	- Fix #4209: Crash in libunbound when called from getdns.
4554	- auth zone zonefiles can be in a chroot, the chroot directory
4555	  components are removed before use.
4556	- Fix that empty zonefile means the zonefile is not set and not used.
4557	- make depend.
4558
455921 November 2018: Wouter
4560	- Scrub NS records from NODATA responses as well.
4561
456220 November 2018: Wouter
4563	- Scrub NS records from NXDOMAIN responses to stop fragmentation
4564	  poisoning of the cache.
4565	- Add patch from Jan Vcelak for pythonmod,
4566	  add sockaddr_storage getters, add support for query callbacks,
4567	  allow raw address access via comm_reply and update API documentation.
4568	- Removed compile warnings in pythonmod sockaddr routines.
4569
457019 November 2018: Wouter
4571	- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
4572	  option in unbound.conf.
4573
45746 November 2018: Ralph
4575	- Bugfix min-client-subnet-ipv6
4576
457725 October 2018: Ralph
4578	- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
4579
458025 October 2018: Wouter
4581	- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
4582	- Fix #4190: Please create a "ANY" deny option, adds the option
4583	  deny-any: yes in unbound.conf.  This responds with an empty message
4584	  to queries of type ANY.
4585	- Fix #4141: More randomness to rrset-roundrobin.
4586	- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
4587	- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
4588	  adds the option unknown-server-time-limit to unbound.conf that
4589	  can be increased to avoid the problem.
4590	- remade makefile dependencies.
4591	- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
4592
459324 October 2018: Ralph
4594	- Add markdel function to ECS slabhash.
4595	- Limit ECS scope returned to client to the scope used for caching.
4596	- Make lint like previous #4154 fix.
4597
459822 October 2018: Wouter
4599	- Fix #4192: unbound-control-setup generates keys not readable by
4600	  group.
4601	- check that the dnstap socket file can be opened and exists, print
4602	  error if not.
4603	- Fix #4154: make ECS_MAX_TREESIZE configurable, with
4604	  the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
4605
460622 October 2018: Ralph
4607	- Change fast-server-num default to 3.
4608
46098 October 2018: Ralph
4610	- Add fast-server-permil and fast-server-num options.
4611	- Deprecate low-rtt and low-rtt-permil options.
4612
46138 October 2018: Wouter
4614	- Squelch log of failed to tcp initiate after TCP Fastopen failure.
4615
46165 October 2018: Wouter
4617	- Squelch EADDRNOTAVAIL errors when the interface goes away,
4618	  this omits 'can't assign requested address' errors unless
4619	  verbosity is set to a high value.
4620	- Set default for so-reuseport to no for FreeBSD.  It is enabled
4621	  by default for Linux and DragonFlyBSD.  The setting can
4622	  be configured in unbound.conf to override the default.
4623	- iana port update.
4624
46252 October 2018: Wouter
4626	- updated contrib/fastrpz.patch to apply for this version
4627	- dnscrypt.c removed sizeof to get array bounds.
4628	- Fix testlock code to set noreturn on error routine.
4629	- Remove unused variable from contrib fastrpz/rpz.c and
4630	  remove unused diagnostic pragmas that themselves generate warnings
4631	- clang analyze test is used only when assertions are enabled.
4632
46331 October 2018: Wouter
4634	- tag for release 1.8.1rc1.  Became release 1.8.1 on 8 oct, with
4635	  fastrpz.patch fix included.  Trunk has 1.8.2 in development.
4636
463727 September 2018: Wouter
4638	- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
4639	  qname minimisation with a forwarder when connectivity has issues
4640	  from rejecting responses.
4641
464225 September 2018: Wouter
4643	- Perform TLS SNI indication of the host that is being contacted
4644	  for DNS over TLS service.  It sets the configured tls auth name.
4645	  This is useful for hosts that apart from the DNS over TLS services
4646	  also provide other (web) services.
4647	- Fix #4149: Add SSL cleanup for tcp timeout.
4648
464917 September 2018: Wouter
4650	- Fix compile on Mac for unbound, provide explicit_bzero when libc
4651	  does not have it.
4652	- Fix unbound for openssl in FIPS mode, it uses the digests with
4653	  the EVP call contexts.
4654	- Fix that with harden-below-nxdomain and qname minisation enabled
4655	  some iterator states for nonresponsive domains can get into a
4656	  state where they waited for an empty list.
4657	- Stop UDP to TCP failover after timeouts that causes the ping count
4658	  to be reset by the TCP time measurement (that exists for TLS),
4659	  because that causes the UDP part to not be measured as timeout.
4660	- Fix #4156: Fix systemd service manager state change notification.
4661
466213 September 2018: Wouter
4663	- Fix seed for random backup code to use explicit zero when wiped.
4664	- exit log routine is annotated as noreturn function.
4665	- free memory leaks in config strlist and str2list insert functions.
4666	- do not move unused argv variable after getopt.
4667	- Remove unused if clause in testcode.
4668	- in testcode, free async ids, initialise array, and check for null
4669	  pointer during test of the test.  And use exit for return to note
4670	  irregular program stop.
4671	- Free memory leak in config strlist append.
4672	- make sure nsec3 comparison salt is initialized.
4673	- unit test has clang analysis.
4674	- remove unused variable assignment from iterator scrub routine.
4675	- check for null in delegation point during iterator refetch
4676	  in forward zone.
4677	- neater pointer cast in libunbound context quit routine.
4678	- initialize statistics totals for printout.
4679	- in authzone check that node exists before adding rrset.
4680	- in unbound-anchor, use readwrite memory BIO.
4681	- assertion in autotrust that packed rrset is formed correctly.
4682	- Fix memory leak when message parse fails partway through copy.
4683	- remove unused udpsize assignment in message encode.
4684	- nicer bio free code in unbound-anchor.
4685	- annotate exit functions with noreturn in unbound-control.
4686
468711 September 2018: Wouter
4688	- Fixed unused return value warnings in contrib/fastrpz.patch for
4689	  asprintf.
4690	- Fix to squelch respip warning in unit test, it is printed at
4691	  higher verbosity settings.
4692	- Fix spelling errors.
4693	- Fix initialisation in remote.c
4694
469510 September 2018: Wouter
4696	- 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
4697	- iana port update.
4698
46995 September 2018: Wouter
4700	- Fix spelling error in header, from getdns commit by Andreas Gelmini.
4701
47024 September 2018: Ralph
4703	- More explicitly mention the type of ratelimit when applying
4704	  ip-ratelimit.
4705
47064 September 2018: Wouter
4707	- Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
4708
470931 August 2018: Wouter
4710	- Disable minimal-responses in subnet unit tests.
4711
471230 August 2018: Wouter
4713	- Fix that a local-zone with a local-zone-type that is transparent
4714	  in a view with view-first, makes queries check for answers from the
4715	  local-zones defined outside of views.
4716
471728 August 2018: Ralph
4718	- Disable minimal-responses in ipsecmod unit tests.
4719	- Added serve-expired-ttl and serve-expired-ttl-reset options.
4720
472127 August 2018: Wouter
4722	- Set defaults to yes for a number of options to increase speed and
4723	  resilience of the server.  The so-reuseport, harden-below-nxdomain,
4724	  and minimal-responses options are enabled by default.  They used
4725	  to be disabled by default, waiting to make sure they worked.  They
4726	  are enabled by default now, and can be disabled explicitly by
4727	  setting them to "no" in the unbound.conf config file.  The reuseport
4728	  and minimal options increases speed of the server, and should be
4729	  otherwise harmless.  The harden-below-nxdomain option works well
4730	  together with the recently default enabled qname minimisation, this
4731	  causes more fetches to use information from the cache.
4732	- next release is called 1.8.0.
4733	- Fix lintflags for lint on FreeBSD.
4734
473522 August 2018: George
4736	- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
4737	  gives access to reply information for the client's communication
4738	  point when the callback is called before the mesh state (modules).
4739	  Changes to C and Python's inplace_callback signatures were also
4740	  necessary.
4741
474221 August 2018: Wouter
4743	- log-local-actions: yes option for unbound.conf that logs all the
4744	  local zone actions, a patch from Saksham Manchanda (Secure64).
4745	- #4146: num.query.subnet and num.query.subnet_cache counters.
4746	- Fix only misc failure from log-servfail when val-log-level is not
4747	  enabled.
4748
474917 August 2018: Ralph
4750	- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
4751 	  enabled.
4752
475317 August 2018: Wouter
4754	- Set libunbound to increase current, because the libunbound change
4755	  to the event callback function signature.  That needs programs,
4756	  that use it, to recompile against the new header definition.
4757	- print servfail info to log as error.
4758	- added more servfail printout statements, to the iterator.
4759	- log-servfail: yes prints log lines that say why queries are
4760	  returning SERVFAIL to clients.
4761
476216 August 2018: Wouter
4763	- Fix warning on compile without threads.
4764	- Fix contrib/fastrpz.patch.
4765
476615 August 2018: Wouter
4767	- Fix segfault in auth-zone read and reorder of RRSIGs.
4768
476914 August 2018: Wouter
4770	- Fix that printout of error for cycle targets is a verbosity 4
4771	  printout and does not wrongly print it is a memory error.
4772	- Upgraded crosscompile script to include libunbound DLL in the
4773	  zipfile.
4774
477510 August 2018: Wouter
4776	- Fix #4144: dns64 module caches wrong (negative) information.
4777
47789 August 2018: Wouter
4779	- unbound-checkconf checks if modules exist and prints if they are
4780	  not compiled in the name of the wrong module.
4781	- document --enable-subnet in doc/README.
4782	- Patch for stub-no-cache and forward-no-cache options that disable
4783	  caching for the contents of that stub or forward, for when you
4784	  want immediate changes visible, from Bjoern A. Zeeb.
4785
47867 August 2018: Ralph
4787	- Make capsforid fallback QNAME minimisation aware.
4788
47897 August 2018: Wouter
4790	- Fix #4142: unbound.service.in: improvements and fixes.
4791	  Add unit dependency ordering (based on systemd-resolved).
4792	  Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
4793	  about missing privileges during startup). Add 'AF_INET6' to
4794	  'RestrictAddressFamilies' (without it IPV6 can't work). From
4795	  Guido Shanahan.
4796	- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
4797	  This limits the number of simultaneous TCP client connections
4798	  from a nominated netblock.
4799	- make depend, yacc, lex, doc, headers.  And log the limit exceeded
4800	  message only on high verbosity, so as to not spam the logs when
4801	  it is busy.
4802
48036 August 2018: Wouter
4804	- Fix for #4136: Fix to unconditionally call destroy in daemon.c.
4805
48063 August 2018: George
4807	- Expose if a query (or a subquery) was ratelimited (not src IP
4808	  ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
4809	  This also introduces a change to 'ub_event_callback_type' in
4810	  libunbound/unbound-event.h.
4811	- Tidy pylib tests.
4812
48133 August 2018: Wouter
4814	- Revert previous change for #4136: because it introduces build
4815	  problems.
4816	- New fix for #4136: This one ignores lex without without
4817	  yylex_destroy.
4818
48191 August 2018: Wouter
4820	- Fix to remove systemd sockaddr function check, that is not
4821	  always present.  Make socket activation more lenient.  But not
4822	  different when socket activation is not used.
4823	- iana port list update.
4824
482531 July 2018: Wouter
4826	- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
4827	- Sort out test runs when the build directory isn't the project
4828	  root directory.
4829	- Add config tcp-idle-timeout (default 30s). This applies to
4830	  client connections only; the timeout on TCP connections upstream
4831	  is unaffected.
4832	- Error if EDNS Keepalive received over UDP.
4833	- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
4834	  and implement option in client responses.
4835	- Correct and expand manual page entries for keepalive and idle timeout.
4836	- Implement progressive backoff of TCP idle/keepalive timeout.
4837	- Fix 'make depend' to work when build dir is not project root.
4838	- Add delay parameter to streamtcp, -d secs.
4839	  To be used when testing idle timeout.
4840	- From Wouter: make depend, the dependencies in the patches did not
4841	  apply cleanly.  Also remade yacc and lex.
4842	- Fix mesh.c incompatible pointer pass.
4843	- Please doxygen so it passes.
4844	- Fix #4139: Fix unbound-host leaks memory on ANY.
4845
484630 July 2018: Wouter
4847	- Fix #4136: insufficiency from mismatch of FLEX capability between
4848	  released tarball and build host.
4849
485027 July 2018: Wouter
4851	- Fix man page, say that chroot is enabled by default.
4852
485326 July 2018: Wouter
4854	- Fix #4135: 64-bit Windows Installer Creates Entries Under The
4855	  Wrong Registry Key, reported by Brian White.
4856
485723 July 2018: Wouter
4858	- Fix use-systemd readiness signalling, only when use-systemd is yes
4859	  and not in signal handler.
4860
486120 July 2018: Wouter
4862	- Fix #4130: print text describing -dd and unbound-checkconf on
4863	  config file read error at startup, the errors may have been moved
4864	  away by the startup process.
4865	- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
4866
486719 July 2018: Wouter
4868	- Fix #4129 unbound-control error message with wrong cert permissions
4869	  is too cryptic.
4870
487117 July 2018: Wouter
4872	- Fix #4127 unbound -h does not list -p help.
4873	- Print error if SSL name verification configured but not available
4874	  in the ssl library.
4875	- Fix that ratelimit and ip-ratelimit are applied after reload of
4876	  changed config file.
4877	- Resize ratelimit and ip-ratelimit caches if changed on reload.
4878
487916 July 2018: Wouter
4880	- Fix qname minimisation NXDOMAIN validation lookup failures causing
4881	  error_supers assertion fails.
4882	- Squelch can't bind socket errors with Permission denied unless
4883	  verbosity is 4 or higher, for UDP outgoing sockets.
4884
488512 July 2018: Wouter
4886	- Fix to improve systemd socket activation code file descriptor
4887	  assignment.
4888	- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
4889	  easily changed to adjust default rtt assumptions.
4890
489110 July 2018: Wouter
4892	- Note in documentation that the cert name match code needs
4893	  OpenSSL 1.1.0 or later to be enabled.
4894
48956 July 2018: Wouter
4896	- Fix documentation ambiguity for tls-win-cert in tls-upstream and
4897	  forward-tls-upstream docs.
4898	- iana port update.
4899	- Note RFC8162 support.  SMIMEA record type can be read in by the
4900	  zone record parser.
4901	- Fix round robin for failed addresses with prefer-ip6: yes
4902
49034 July 2018: Wouter
4904	- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
4905	  if DNSSEC is not enabled.  New option -R allows fallback from
4906	  resolv.conf to direct queries.
4907
49083 July 2018: Wouter
4909	- Better documentation for unblock-lan-zones and insecure-lan-zones
4910	  config statements.
4911	- Fix permission denied printed for auth zone probe random port nrs.
4912
49132 July 2018: Wouter
4914	- Fix checking for libhiredis printout in configure output.
4915	- Fix typo on man page in ip-address description.
4916	- Update libunbound/python/examples/dnssec_test.py example code to
4917	  also set the 20326 trust anchor for the root in the example code.
4918
491929 June 2018: Wouter
4920	- dns64-ignore-aaaa: config option to list domain names for which the
4921	  existing AAAA is ignored and dns64 processing is used on the A
4922	  record.
4923
492428 June 2018: Wouter
4925	- num.queries.tls counter for queries over TLS.
4926	- log port number with err_addr logs.
4927
492827 June 2018: Wouter
4929	- #4109: Fix that package config depends on python unconditionally.
4930	- Patch, do not export python from pkg-config, from Petr Menšík.
4931
493226 June 2018: Wouter
4933	- Partial fix for permission denied on IPv6 address on FreeBSD.
4934	- Fix that auth-zone master reply with current SOA serial does not
4935	  stop scan of masters for an updated zone.
4936	- Fix that auth-zone does not start the wait timer without checking
4937	  if the wait timer has already been started.
4938
493921 June 2018: Wouter
4940	- #4108: systemd reload hang fix.
4941	- Fix usage printout for unbound-host, hostname has to be last
4942	  argument on BSDs and Windows.
4943
494419 June 2018: Wouter
4945	- Fix for unbound-control on Windows and set TCP socket parameters
4946	  more closely.
4947	  This fix is part of 1.7.3.
4948	- Windows example service.conf edited with more windows specific
4949	  configuration.
4950	- Fix windows unbound-control no cert bad file descriptor error.
4951	  This fix is part of 1.7.3.
4952
495318 June 2018: Wouter
4954	- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
4955	  This fix is part of 1.7.3rc2.
4956	- Fix unbound-checkconf for control-use-cert.
4957	  This fix is part of 1.7.3.
4958
495915 June 2018: Wouter
4960	- tag for 1.7.3rc1.
4961	- trunk has 1.7.4.
4962	- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
4963	- unbound-control auth_zone_transfer _zone_ option starts the probe
4964	  sequence for a master to transfer the zone from and transfers when
4965	  a new zone version is available.
4966
496714 June 2018: Wouter
4968	- #4103: Fix that auth-zone does not insist on SOA record first in
4969	  file for url downloads.
4970	- Fix that first control-interface determines if TLS is used.  Warn
4971	  when IP address interfaces are used without TLS.
4972	- Fix nettle compile.
4973
497412 June 2018: Ralph
4975	- Don't count CNAME response types received during qname minimisation as
4976	  query restart.
4977
497812 June 2018: Wouter
4979	- #4102 for NSD, but for Unbound.  Named unix pipes do not use
4980	  certificate and key files, access can be restricted with file and
4981	  directory permissions.  The option control-use-cert is no longer
4982	  used, and ignored if found in unbound.conf.
4983	- Rename tls-additional-ports to tls-additional-port, because every
4984	  line adds one port.
4985	- Fix buffer size warning in unit test.
4986	- remade dependencies in the Makefile.
4987
49886 June 2018: Wouter
4989	- Patch to fix openwrt for mac os build darwin detection in configure.
4990
49915 June 2018: Wouter
4992	- Fix crash if ratelimit taken into use with unbound-control
4993	  instead of with unbound.conf.
4994
49954 June 2018: Wouter
4996	- Fix deadlock caused by incoming notify for auth-zone.
4997	- tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
4998	  trunk is 1.7.3 in development from this point.
4999	- #4100: Fix stub reprime when it becomes useless.
5000
50011 June 2018: Wouter
5002	- Rename additional-tls-port to tls-additional-ports.
5003	  The older name is accepted for backwards compatibility.
5004
500530 May 2018: Wouter
5006	- Patch from Syzdek: Add ability to ignore RD bit and treat all
5007	  requests as if the RD bit is set.
5008
500929 May 2018: Wouter
5010	- in compat/arc4random call getentropy_urandom when getentropy fails
5011	  with ENOSYS.
5012	- Fix that fallback for windows port.
5013
501428 May 2018: Wouter
5015	- Fix windows tcp and tls spin on events.
5016	- Add routine from getdns to add windows cert store to the SSL_CTX.
5017	- tls-win-cert option that adds the system certificate store for
5018	  authenticating DNS-over-TLS connections.  It can be used instead
5019	  of the tls-cert-bundle option, or with it to add certificates.
5020
502125 May 2018: Wouter
5022	- For TCP and TLS connections that don't establish, perform address
5023	  update in infra cache, so future selections can exclude them.
5024	- Fix that tcp sticky events are removed for closed fd on windows.
5025	- Fix close events for tcp only.
5026
502724 May 2018: Wouter
5028	- Fix that libunbound can do DNS-over-TLS, when configured.
5029	- Fix that windows unbound service can use DNS-over-TLS.
5030	- unbound-host initializes ssl (for potential DNS-over-TLS usage
5031	  inside libunbound), when ssl upstream or a cert-bundle is configured.
5032
503323 May 2018: Wouter
5034	- Use accept4 to speed up incoming TCP (and TLS) connections,
5035	  available on Linux, FreeBSD and OpenBSD.
5036
503717 May 2018: Ralph
5038	- Qname minimisation default changed to yes.
5039
504015 May 2018: Wouter
5041	- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
5042
504311 May 2018: Wouter
5044	- Fix contrib/libunbound.pc for libssl libcrypto references,
5045	  from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
5046
50477 May 2018: Wouter
5048	- Fix windows to not have sticky TLS events for TCP.
5049	- Fix read of DNS over TLS length and data in one read call.
5050	- Fix mesh state assertion failure due to callback removal.
5051
50523 May 2018: Wouter
5053	- Fix that configure --with-libhiredis also turns on cachedb.
5054	- Fix gcc 8 buffer warning in testcode.
5055	- Fix function type cast warning in libunbound context callback type.
5056
50572 May 2018: Wouter
5058	- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
5059
50601 May 2018: Wouter
5061	- Fix that unbound-control reload frees the rrset keys and returns
5062	  the memory pages to the system.
5063
506430 April 2018: Wouter
5065	- Fix spelling error in man page and note defaults as no instead of
5066	  off.
5067
506826 April 2018: Wouter
5069	- Fix for crash in daemon_cleanup with dnstap during reload,
5070	  from Saksham Manchanda.
5071	- Also that for dnscrypt.
5072	- tag for 1.7.1rc1 release.  Became 1.7.1 release on 3 May, trunk
5073	  is from here 1.7.2 in development.
5074
507525 April 2018: Ralph
5076	- Fix memory leak when caching wildcard records for aggressive NSEC use
5077
507824 April 2018: Wouter
5079	- Fix contrib/fastrpz.patch for this release.
5080	- Fix auth https for libev.
5081
508224 April 2018: Ralph
5083	- Added root-key-sentinel support
5084
508523 April 2018: Wouter
5086	- makedist uses bz2 for expat code, instead of tar.gz.
5087	- Fix #4092: libunbound: use-caps-for-id lacks colon in
5088	  config_set_option.
5089	- auth zone http download stores exact copy of downloaded file,
5090	  including comments in the file.
5091	- Fix sldns parse failure for CDS alternate delete syntax empty hex.
5092	- Attempt for auth zone fix; add of callback in mesh gets from
5093	  callback does not skip callback of result.
5094	- Fix cname classification with qname minimisation enabled.
5095	- list_auth_zones unbound-control command.
5096
509720 April 2018: Wouter
5098	- man page documentation for dns-over-tls forward-addr '#' notation.
5099	- removed free from failed parse case.
5100	- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
5101	  with the previous contents.
5102	- Delete auth zone when removed from config.
5103
510419 April 2018: Wouter
5105	- Can set tls authentication with forward-addr: IP#tls.auth.name
5106	  And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
5107	  such as forward-addr: 9.9.9.9@853#dns.quad9.net or
5108	  1.1.1.1@853#cloudflare-dns.com
5109	- Fix #658: unbound using TLS in a forwarding configuration does not
5110	  verify the server's certificate (RFC 8310 support).
5111	- For addr with #authname and no @port notation, the default is 853.
5112
511318 April 2018: Wouter
5114	- Fix auth-zone retry timer to be on schedule with retry timeout,
5115	  with backoff.  Also time a refresh at the zone expiry.
5116
511717 April 2018: Wouter
5118	- auth zone notify work.
5119	- allow-notify: config statement for auth-zones.
5120	- unit test for allow-notify
5121
512216 April 2018: Wouter
5123	- Fix auth zone target lookup iterator.
5124	- auth zone notify with prefix
5125	- auth zone notify work.
5126
512713 April 2018: Wouter
5128	- Fix for max include depth for authzones.
5129	- Fix memory free on fail for $INCLUDE in authzone.
5130	- Fix that an internal error to look up the wrong rr type for
5131	  auth zone gets stopped, before trying to send there.
5132	- auth zone notify work.
5133
513410 April 2018: Ralph
5135	- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
5136	  statistics counters.
5137
513810 April 2018: Wouter
5139	- documentation for low-rtt and low-rtt-pct.
5140	- auth zone notify work.
5141
51429 April 2018: Wouter
5143	- Fix that flush_zone sets prefetch ttl expired, so that with
5144	  serve-expired enabled it'll start prefetching those entries.
5145	- num.query.authzone.up and num.query.authzone.down statistics counters.
5146	- Fix downstream auth zone, only fallback when auth zone fails to
5147	  answer and fallback is enabled.
5148	- Accept both option names with and without colon for get_option
5149	  and set_option.
5150	- low-rtt and low-rtt-pct in unbound.conf enable the server selection
5151	  of fast servers for some percentage of the time.
5152
51535 April 2018: Wouter
5154	- Combine write of tcp length and tcp query for dns over tls.
5155	- nitpick fixes in example.conf.
5156	- Fix above stub queries for type NS and useless delegation point.
5157	- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
5158	  tls_choose_sigalg routine does not allow the ciphers for the pipe,
5159	  so use TLSv1.2.
5160	- ED448 support.
5161
51623 April 2018: Wouter
5163	- Fix #4043: make test fails due to v6 presentation issue in macOS.
5164	- Fix unable to resolve after new WLAN connection, due to auth-zone
5165	  failing with a forwarder set.  Now, auth-zone is only used for
5166	  answers (not referrals) when a forwarder is set.
5167
516829 March 2018: Ralph
5169	- Check "result" in dup_all(), by Florian Obser.
5170
517123 March 2018: Ralph
5172	- Fix unbound-control get_option aggressive-nsec
5173
517421 March 2018: Ralph
5175	- Do not use cached NSEC records to generate negative answers for
5176	  domains under DNSSEC Negative Trust Anchors.
5177
517819 March 2018: Wouter
5179	- iana port update.
5180
518116 March 2018: Wouter
5182	- corrected a minor typo in the changelog.
5183	- move htobe64/be64toh portability code to cachedb.c.
5184
518515 March 2018: Wouter
5186	- Add --with-libhiredis, unbound support for a new cachedb backend
5187	  that uses a Redis server as the storage.  This implementation
5188	  depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
5189	  And unbound should be built with both --enable-cachedb and
5190	  --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
5191	  should exist).  Patch from Jinmei Tatuya (Infoblox).
5192	- Fix #3817: core dump happens in libunbound delete, when queued
5193	  servfail hits deleted message queue.
5194	- Create additional tls service interfaces by opening them on other
5195	  portnumbers and listing the portnumbers as additional-tls-port: nr.
5196
519713 March 2018: Wouter
5198	- Fix typo in documentation.
5199	- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
5200	  flushed with serve-expired on.
5201
520212 March 2018: Wouter
5203	- Added documentation for aggressive-nsec: yes.
5204	- tag 1.7.0rc3.  That became the 1.7.0 release on 15 Mar, trunk
5205	  now has 1.7.1 in development.
5206	- Fix #3727: Protocol name is TLS, options have been renamed but
5207	  documentation is not consistent.
5208	- Check IXFR start serial.
5209
52109 March 2018: Wouter
5211	- Fix #3598: Fix swig build issue on rhel6 based system.
5212	  configure --disable-swig-version-check stops the swig version check.
5213
52148 March 2018: Wouter
5215	- tag 1.7.0rc2.
5216
52177 March 2018: Wouter
5218	- Fixed contrib/fastrpz.patch, even though this already applied
5219	  cleanly for me, now also for others.
5220	- patch to log creates keytag queries, from A. Schulze.
5221	- patch suggested by Debian lintian: allow to -> allow one to, from
5222	  A. Schulze.
5223	- Attempt to remove warning about trailing whitespace.
5224
52256 March 2018: Wouter
5226	- Reverted fix for #3512, this may not be the best way forward;
5227	  although it could be changed at a later time, to stay similar to
5228	  other implementations.
5229	- svn trunk contains 1.7.0, this is the number for the next release.
5230	- Fix for windows compile.
5231	- tag 1.7.0rc1.
5232
52335 March 2018: Wouter
5234	- Fix to check define of DSA for when openssl is without deprecated.
5235	- iana port update.
5236	- Fix #3582: Squelch address already in use log when reuseaddr option
5237	  causes same port to be used twice for tcp connections.
5238
523927 February 2018: Wouter
5240	- Fixup contrib/fastrpz.patch so that it applies.
5241	- Fix compile without threads, and remove unused variable.
5242	- Fix compile with staticexe and python module.
5243	- Fix nettle compile.
5244
524522 February 2018: Ralph
5246	- Save wildcard RRset from answer with original owner for use in
5247 	  aggressive NSEC.
5248
524921 February 2018: Wouter
5250	- Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
5251	  when there is a CNAME loop.
5252	- Fix validation for CNAME loops.  When it detects a cname loop,
5253	  by finding the cname, cname in the existing list, it returns
5254	  the partial result with the validation result up to then.
5255	- more robust cachedump rrset routine.
5256
525719 February 2018: Wouter
5258	- Fix #3505: Documentation for default local zones references
5259	  wrong RFC.
5260	- Fix #3494: local-zone noview can be used to break out of the view
5261	  to the global local zone contents, for queries for that zone.
5262	- Fix for more maintainable code in localzone.
5263
526416 February 2018: Wouter
5265	- Fixes for clang static analyzer, the missing ; in
5266	  edns-subnet/addrtree.c after the assert made clang analyzer
5267	  produce a failure to analyze it.
5268
526913 February 2018: Ralph
5270	- Aggressive NSEC tests
5271
527213 February 2018: Wouter
5273	- tls-cert-bundle option in unbound.conf enables TLS authentication.
5274	- iana port update.
5275
527612 February 2018: Wouter
5277	- Unit test for auth zone https url download.
5278
527912 February 2018: Ralph
5280	- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
5281	- Processed aggressive NSEC code review remarks Wouter
5282
52838 February 2018: Ralph
5284	- Aggressive use of NSEC implementation. Use cached NSEC records to
5285	  generate NXDOMAIN, NODATA and positive wildcard answers.
5286
52878 February 2018: Wouter
5288	- iana port update.
5289	- auth zone url config.
5290
52915 February 2018: Wouter
5292	- Fix #3451: dnstap not building when you have a separate build dir.
5293	  And removed protoc warning, set dnstap.proto syntax to proto2.
5294	- auth-zone provides a way to configure RFC7706 from unbound.conf,
5295	  eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
5296	  fallback-enabled: yes and masters or a zonefile with data.
5297
52982 February 2018: Wouter
5299	- Fix unfreed locks in log and arc4random at exit of unbound.
5300	- unit test with valgrind
5301	- Fix lock race condition in dns cache dname synthesis.
5302	- lock subnet new item before insertion to please checklocks,
5303	  no modification of critical regions outside of lock region.
5304
53051 February 2018: Wouter
5306	- fix unaligned structure making a false positive in checklock
5307	  uninitialised memory.
5308
530929 January 2018: Ralph
5310	- Use NSEC with longest ce to prove wildcard absence.
5311	- Only use *.ce to prove wildcard absence, no longer names.
5312
531325 January 2018: Wouter
5314	- ltrace.conf file for libunbound in contrib.
5315
531623 January 2018: Wouter
5317	- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
5318	  for startup scripts to get the full pathname(s) of anchor file(s).
5319	- Print fatal errors about remote control setup before log init,
5320	  so that it is printed to console.
5321
532222 January 2018: Wouter
5323	- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
5324	  also recognized and means the same.  Also for tls-port,
5325	  tls-service-key, tls-service-pem, stub-tls-upstream and
5326	  forward-tls-upstream.
5327	- Fix #3397: Fix that cachedb could return a partial CNAME chain.
5328	- Fix #3397: Fix that when the cache contains an unsigned DNAME in
5329	  the middle of a cname chain, a result without the DNAME could
5330	  be returned.
5331
533219 January 2018: Wouter
5333	- tag 1.6.8 for release with CVE fix.
5334	- trunk has 1.6.9 with fix and previous commits.
5335	- patch for CVE-2017-15105: vulnerability in the processing of
5336	  wildcard synthesized NSEC records.
5337	- iana port update.
5338	- make depend: code dependencies updated in Makefile.
5339
53404 January 2018: Ralph
5341	- Copy query and correctly set flags on REFUSED answers when cache
5342	  snooping is not allowed.
5343
53443 January 2018: Ralph
5345	- Fix queries being leaked above stub when refetching glue.
5346
53472 January 2017: Wouter
5348	- Fix that DS queries with referral replies are answered straight
5349	  away, without a repeat query picking the DS from cache.
5350	  The correct reply should have been an answer, the reply is fixed
5351	  by the scrubber to have the answer in the answer section.
5352	- Remove clang optimizer disable,
5353	  Fix that expiration date checks don't fail with clang -O2.
5354
535515 December 2017: Wouter
5356	- Fix timestamp failure because of clang optimizer failure, by
5357	  disabling -O2 when the compiler --version is clang.
5358	- iana port update.
5359	- Also disable -flto for clang, to make incep-expi signature check
5360	  work.
5361
536212 December 2017: Ralph
5363	- Fix qname-minimisation documentation (A QTYPE, not NS)
5364
536512 December 2017: Wouter
5366	- authzone work, transfer connect.
5367
53687 December 2017: Ralph
5369	- Check whether --with-libunbound-only is set when using --with-nettle
5370	  or --with-nss.
5371
53724 December 2017: Wouter
5373	- Fix link failure on OmniOS.
5374
53751 December 2017: Wouter
5376	- auth zone work.
5377
537830 November 2017: Wouter
5379	- Fix #3299 - forward CNAME daisy chain is not working
5380
538114 November 2017: Wouter
5382	- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
5383	  set for stub zone.  It no longer searches for DNSSEC information.
5384	- auth xfer work on probe timer and lookup.
5385
538613 November 2017: Wouter
5387	- Fix #2801: Install libunbound.pc.
5388	- Fix qname minimisation to send AAAA queries at zonecut like type A.
5389	- reverted AAAA change.
5390
53917 November 2017: Wouter
5392	- Fix #2492: Documentation libunbound.
5393
53943 November 2017: Wouter
5395	- Fix #2362: TLS1.3/openssl-1.1.1 not working.
5396	- Fix #2034 - Autoconf and -flto.
5397	- Fix #2141 - for libsodium detect lack of entropy in chroot, print
5398	  a message and exit.
5399
54002 November 2017: Wouter
5401	- Fix #1913: ub_ctx_config is under circumstances thread-safe.
5402	- make ip-transparent option work on OpenBSD.
5403
540431 October 2017: Wouter
5405	- Document that errno is left informative on libunbound config read
5406	  fail.
5407	- lexer output.
5408	- iana port update.
5409
541025 October 2017: Ralph
5411	- Fixed libunbound manual typo.
5412	- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
5413	- Fix #2031: Double included headers
5414
541524 October 2017: Ralph
5416	- Update B root ipv4 address.
5417
541819 October 2017: Wouter
5419	- authzone work, probe timer setup.
5420
542118 October 2017: Wouter
5422	- lint for recent authzone commit.
5423
542417 October 2017: Wouter
5425	- Fix #1749: With harden-referral-path: performance drops, due to
5426	  circular dependency in NS and DS lookups.
5427	- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
5428	  duplicates
5429	- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
5430	  from Manu Bretelle.
5431	This option allows handling multiple cert/key pairs while only
5432	distributing some of them.
5433	In order to reliably match a client magic with a given key without
5434	strong assumption as to how those were generated, we need both key and
5435	cert. Likewise, in order to know which ES version should be used.
5436	On the other hand, when rotating a cert, it can be desirable to only
5437	serve the new cert but still be able to handle clients that are still
5438	using the old certs's public key.
5439	The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
5440	publish the cert as part of the DNS's provider_name's TXT answer.
5441	- Better documentation for cache-max-negative-ttl.
5442	- Work on local root zone code.
5443
544410 October 2017: Wouter
5445	- tag 1.6.7
5446	- trunk has version 1.6.8.
5447
54486 October 2017: Wouter
5449	- Fix spelling in unbound-control man page.
5450
54515 October 2017: Wouter
5452	- Fix trust-anchor-signaling works in libunbound.
5453	- Fix some more crpls in testdata for different signaling default.
5454	- tag 1.6.7rc1
5455
54565 October 2017: Ralph
5457	- Set trust-anchor-signaling default to yes
5458	- Use RCODE from A query on DNS64 synthesized answer.
5459
54602 October 2017: Wouter
5461	- Fix param unused warning for windows exportsymbol compile.
5462
546325 September 2017: Ralph
5464	- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
5465	   (by Danilo G. Baio).
5466
546721 September 2017: Ralph
5468	- Log name of looping module
5469
547019 September 2017: Wouter
5471	- use a cachedb answer even if it's "expired" when serve-expired is yes
5472	  (patch from Jinmei Tatuya).
5473	- trigger refetching of the answer in that case (this will bypass
5474	  cachedb lookup)
5475	- allow storing a 0-TTL answer from cachedb in the in-memory message
5476	  cache when serve-expired is yes
5477	- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
5478
547918 September 2017: Ralph
5480	- Fix #1400: allowing use of global cache on ECS-forwarding unless
5481	  always-forward.
5482
548318 September 2017: Wouter
5484	- tag 1.6.6 (is 1.6.6rc2)
5485	- Fix that looping modules always stop the query, and don't pass
5486	  control.
5487	- Fix #1435: Please allow UDP to be disabled separately upstream and
5488	  downstream.
5489	- Fix #1440: [dnscrypt] client nonce cache.
5490
549115 September 2017: Wouter
5492	- Fix unbound-host to report error for DNSSEC state of failed lookups.
5493	- Spelling fixes, from Josh Soref.
5494
549513 September 2017: Wouter
5496	- tag 1.6.6rc2, became 1.6.6 on 18 sep.  trunk 1.6.7 in development.
5497
549812 September 2017: Wouter
5499	- Add dns64 for client-subnet in unbound-checkconf.
5500
55014 September 2017: Ralph
5502	- Fix #1412: QNAME minimisation strict mode not honored
5503	- Fix #1434: Fix windows openssl 1.1.0 linking.
5504
55054 September 2017: Wouter
5506	- tag 1.6.6rc1
5507	- makedist fix for windows binaries, with openssl 1.1.0 windres fix,
5508	  and expat 2.2.4 install target fix.
5509
55101 September 2017: Wouter
5511	- Recommend 1472 buffer size in unbound.conf
5512
551331 August 2017: Wouter
5514	- Fix #1424: cachedb:testframe is not thread safe.
5515	- For #1417: escape ; in dnscrypt tests.
5516	- but reverted that, tests fails with that escape.
5517	- Fix #1417: [dnscrypt] shared secret cache counters, and works when
5518	  dnscrypt is not enabled.  And cache size configuration option.
5519	- make depend
5520	- Fix #1418: [ip ratelimit] initialize slabhash using
5521	  ip-ratelimit-slabs.
5522
552330 August 2017: Wouter
5524	- updated contrib/fastrpz.patch to apply with configparser changes.
5525	- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
5526
552729 August 2017: Wouter
5528	- Fix #1414: fix segfault on parse failure and log_replies.
5529	- zero qinfo in handle_request, this zeroes local_alias and also the
5530	  qname member.
5531	- new keys and certs for dnscrypt tests.
5532	- fixup WKS test on buildhost without servicebyname.
5533
553428 August 2017: Wouter
5535	- Fix #1415: patch to free dnscrypt environment on reload.
5536	- iana portlist update
5537	- Fix #1415: [dnscrypt] shared secret cache, patch from
5538	  Manu Bretelle.
5539	- Small fixes for the shared secret cache patch.
5540	- Fix WKS records on kvm autobuild host, with default protobyname
5541	  entries for udp and tcp.
5542
554323 August 2017: Wouter
5544	- Fix #1407: Add ECS options check to unbound-checkconf.
5545	- make depend
5546	- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
5547	  allocation failure.
5548
554922 August 2017: Wouter
5550	- Fix install of trust anchor when two anchors are present, makes both
5551	  valid. Checks hash of DS but not signature of new key. This fixes
5552	  the root.key file if created when unbound is installed between
5553	  sep11 and oct11 2017.
5554	- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
5555	- trunk version 1.6.6 in development.
5556	- Fix issue on macOX 10.10 where TCP fast open is detected but not
5557	  implemented causing TCP to fail. The fix allows fallback to regular
5558	  TCP in this case and is also more robust for cases where connectx()
5559	  fails for some reason.
5560	- Fix #1402: squelch invalid argument error for fd_set_block on windows.
5561
556210 August 2017: Wouter
5563	- Patch to show DNSCrypt status in help output, from Carsten
5564	  Strotmann.
5565
55668 August 2017: Wouter
5567	- Fix #1398: make cachedb secret configurable.
5568	- Remove spaces from Makefile.
5569
55707 August 2017: Wouter
5571	- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
5572
55733 August 2017: Ralph
5574	- Remove unused iter_env member (ip6arpa_dname)
5575	- Do not reset rrset.bogus stats when called using stats_noreset.
5576	- Added stats for queries that have been ratelimited by domain
5577	  recursion.
5578	- Do not add rrset_bogus and query ratelimiting stats per thread, these
5579	  module stats are global.
5580
55813 August 2017: Wouter
5582	- Fix #1394: mix of serve-expired and response-ip could cause a crash.
5583
558424 July 2017: Wouter
5585	- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
5586	  config.sub(2016-09-05).
5587	- annotate case statement fallthrough for gcc 7.1.1.
5588	- flex output from flex 2.6.1.
5589	- snprintf of thread number does not warn about truncated string.
5590	- squelch TCP fast open error on FreeBSD when kernel has it disabled,
5591	  unless verbosity is high.
5592	- remove warning from windows compile.
5593	- Fix compile with libnettle
5594	- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
5595	- Fix #1365: Add Ed25519 support using libnettle.
5596	- iana portlist update
5597
559817 July 2017: Wouter
5599	- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
5600	- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
5601	  With the -p option unbound does not create a pidfile.
5602
560311 July 2017: Wouter
5604	- Fix #1344: RFC6761-reserved domains: test. and invalid.
5605	- Redirect all localhost names to localhost address for RFC6761.
5606
56076 July 2017: Wouter
5608	- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
5609	- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
5610
56114 July 2017: Wouter
5612	- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
5613
56143 July 2017: Wouter
5615	- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
5616	  on.
5617	- Fix #1331: libunbound segfault in threaded mode when context is
5618	  deleted.
5619	- Fix pythonmod link line option flag.
5620	- Fix openssl 1.1.0 load of ssl error strings from ssl init.
5621
562229 June 2017: Wouter
5623	- Fix python example0 return module wait instead of error for pass.
5624	- iana portlist update
5625	- enhancement for hardened-tls for DNS over TLS.  Removed duplicated
5626	  security settings.
5627
562827 June 2017: Wouter
5629	- Tag 1.6.4 is created with the 1.6.4rc2 contents.
5630	- Trunk contains 1.6.5, with changes from 26, 27 june.
5631	- Remove signed unsigned warning from authzone.
5632	- Fix that infra cache host hash does not change after reconfig.
5633
563426 June 2017: Wouter
5635	- (for 1.6.5)
5636	  Better fixup of dnscrypt_cert_chacha test for different escapes.
5637	- First fix for zero b64 and hex text zone format in sldns.
5638	- unbound-control dump_infra prints port number for address if not 53.
5639
564023 June 2017: Wouter
5641	- (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
5642
564322 June 2017: Wouter
5644	- Tag 1.6.4rc2
5645
564622 June 2017: Ralph
5647	- Added fastrpz patch to contrib
5648
564921 June 2017: Wouter
5650	- Fix #1316: heap read buffer overflow in parse_edns_options.
5651
565220 June 2017: Wouter
5653	- Fix warning in pythonmod under clang compiler.
5654	- Tag 1.6.4rc1
5655	- Fix lintian typo.
5656
565716 June 2017: Ralph
5658	- Fix #1277: disable domain ratelimit by setting value to 0.
5659
566016 June 2017: Wouter
5661	- Fix #1301: memory leak in respip and tests.
5662	- Free callback in edns-subnetmod on exit and restart.
5663	- Fix memory leak in sldns_buffer_new_frm_data.
5664	- Fix memory leak in dnscrypt config read.
5665	- Fix dnscrypt chacha cert support ifdefs.
5666	- Fix dnscrypt chacha cert unit test escapes in grep.
5667	- Remove asynclook tests that cause test and purifier problems.
5668	- Fix to unlock view in view test.
5669
567015 June 2017: Wouter
5671	- Fix stub zone queries leaking to the internet for
5672	  harden-referral-path ns checks.
5673	- Fix query for refetch_glue of stub leaking to internet.
5674
567513 June 2017: Wouter
5676	- Fix #1279: Memory leak on reload when python module is enabled.
5677	- Fix #1280: Unbound fails assert when response from authoritative
5678	  contains malformed qname.  When 0x20 caps-for-id is enabled, when
5679	  assertions are not enabled the malformed qname is handled correctly.
5680	- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
5681	- More fixes in depth for buffer checks in 0x20 qname checks.
5682
568312 June 2017: Wouter
5684	- Fix #1278: Incomplete wildcard proof.
5685
56868 June 2017: Ralph
5687	- Added domain name based ECS whitelist.
5688
56898 June 2017: Wouter
5690	- Detect chacha for dnscrypt at configure time.
5691	- dnscrypt unit tests with chacha.
5692
56937 June 2017: Wouter
5694	- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
5695	- Add dnscrypt XChaCha20 tests.
5696
56976 June 2017: Wouter
5698	- Add an explicit type cast for TCP FASTOPEN fix.
5699	- renumbering B-Root's IPv6 address to 2001:500:200::b.
5700	- Fix #1275: cached data in cachedb is never used.
5701	- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
5702
57031 June 2017: Ralph
5704	- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
5705	  (from Manu Bretelle).
5706
57071 June 2017: Wouter
5708	- Fix fastopen EPIPE fallthrough to perform connect.
5709
571031 May 2017: Ralph
5711	- Also use global local-zones when there is a matching view that does
5712	  not have any local-zone specified.
5713
571431 May 2017: Wouter
5715	- Fix #1273: cachedb.c doesn't compile with -Wextra.
5716	- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
5717
571830 May 2017: Ralph
5719	- Fix #1269: inconsistent use of built-in local zones with views.
5720	- Add defaults for new local-zone trees added to views using
5721	  unbound-control.
5722
572330 May 2017: Wouter
5724	- Support for openssl EVP_DigestVerify.
5725	- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
5726
572729 May 2017: Wouter
5728	- Fix assertion for low buffer size and big edns payload when worker
5729	  overrides udpsize.
5730
573126 May 2017: Ralph
5732	- Added redirect-bogus.patch to contrib directory.
5733
573426 May 2017: Wouter
5735	- Fix #1270: unitauth.c doesn't compile with higher warning level
5736	  and optimization
5737	- exec_prefix is by default equal to prefix.
5738	- printout localzone for duplicate local-zone warnings.
5739
574024 May 2017: Wouter
5741	- authzone cname chain, no rrset duplicates, wildcard doesn't change
5742	  rrsets added for cname chain.
5743
574423 May 2017: Wouter
5745	- first services/authzone check in, it compiles and reads and writes
5746	  zonefiles.
5747	- iana portlist update
5748
574922 May 2017: Wouter
5750	- Fix #1268: SIGSEGV after log_reopen.
5751
575218 May 2017: Wouter
5753	- Fix #1265 to use /bin/kill.
5754	- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
5755	  and compatibility with BoringSSL.
5756
575717 May 2017: Wouter
5758	- Fix #1265: contrib/unbound.service contains hardcoded path.
5759
576017 May 2017: George
5761	- Use qstate's region for IPSECKEY rrset (ipsecmod).
5762
576316 May 2017: George
5764	- Implemented opportunistic IPsec support module (ipsecmod).
5765	- Some whitespace fixup.
5766
576716 May 2017: Wouter
5768	- updated dependencies in the makefile.
5769	- document trust-anchor-signaling in example config file.
5770	- updated configure, dependencies and flex output.
5771	- better module memory lookup, fix of unbound-control shm names for
5772	  module memory printout of statistics.
5773	- Fix type AVC sldns rrdef.
5774
577512 May 2017: Wouter
5776	- Adjust servfail by iterator to not store in cache when serve-expired
5777	  is enabled, to avoid overwriting useful information there.
5778	- Fix queries for nameservers under a stub leaking to the internet.
5779
57809 May 2017: Ralph
5781	- Add 'c' to getopt() in testbound.
5782	- iana portlist update
5783
57848 May 2017: Wouter
5785	- Fix tcp-mss failure printout text.
5786	- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
5787	  connect limited tcp connections.  With the option tcp connections
5788	  can share the same source port (for different destinations).
5789
57902 May 2017: Ralph
5791	- Added mesh_add_sub to add detached mesh entries.
5792	- Use mesh_add_sub for key tag signaling query.
5793
57942 May 2017: Wouter
5795	- Added test for leak of stub information.
5796	- Fix sldns wire2str printout of RR type CAA tags.
5797	- Fix sldns int16_data parse.
5798	- Fix sldns parse and printout of TSIG RRs.
5799	- sldns SMIMEA and AVC definitions, same as getdns definitions.
5800
58011 May 2017: Wouter
5802	- Fix #1259: "--disable-ecdsa" argument overwritten
5803	  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
5804	- iana portlist update
5805	- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
5806	  and fix that 64bit getting installed in C:\Program Files (x86).
5807
580826 April 2017: Ralph
5809	- Implemented trust anchor signaling using key tag query.
5810
581126 April 2017: Wouter
5812	- Based on #1257: check parse limit before t increment in sldns RR
5813	  string parse routine.
5814
581524 April 2017: Wouter
5816	- unbound-checkconf -o allows query of dnstap config variables.
5817	  Also unbound-control get_option.  Also for dnscrypt.
5818	- trunk contains 1.6.3 version number (changes from 1.6.2 back from
5819	  when the 1.6.2rc1 tag has been created).
5820
582121 April 2017: Ralph
5822	- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
5823	- iana portlist update
5824
582518 April 2017: Ralph
5826	- Fix #1252: more indentation inconsistencies.
5827	- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
5828
582913 April 2017: Ralph
5830	- Added ECS unit test (from Manu Bretelle).
5831	- ECS documentation fix (from Manu Bretelle).
5832
583313 April 2017: Wouter
5834	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
5835	- tag for 1.6.2rc1
5836	- (for 1.6.3:) unbound.h exports the shm stats structures.  They use
5837	  type long long and no ifdefs, and ub_ before the typenames.
5838
583912 April 2017: Wouter
5840	- subnet mem value is available in shm, also when not enabled,
5841	  to make the struct easier to memmap by other applications,
5842	  independent of the configuration of unbound.
5843
584412 April 2017: Ralph
5845	- Fix #1247: unbound does not shorten source prefix length when
5846	  forwarding ECS.
5847	- Properly check for allocation failure in local_data_find_tag_datas.
5848	- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
5849	- Set SHM ECS memory usage to 0 when module not loaded.
5850
585111 April 2017: Ralph
5852	- Display ECS module memory usage.
5853
585410 April 2017: Wouter
5855	- harden-algo-downgrade: no also makes unbound more lenient about
5856	  digest algorithms in DS records.
5857
585810 April 2017: Ralph
5859	- Remove ECS option after REFUSED answer.
5860	- Fix small memory leak in edns_opt_copy_alloc.
5861	- Respip dereference after NULL check.
5862	- Zero initialize addrtree allocation.
5863	- Use correct identifier for SHM destroy.
5864
58657 April 2017: George
5866	- Fix pythonmod for cb changes.
5867	- Some whitespace fixup.
5868
58697 April 2017: Ralph
5870	- Unlock view in respip unit test
5871
58726 April 2017: Ralph
5873	- Generalise inplace callback (de)registration
5874	- (de)register inplace callbacks for module id
5875	- No unbound-control set_option for ECS options
5876	- Deprecated client-subnet-opcode config option
5877	- Introduced client-subnet-always-forward config option
5878	- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
5879	- Removed extern ECS config options
5880	- module_restart_next now calls clear on all following modules
5881	- Also create ECS module qstate on module_event_pass event
5882	- remove malloc from inplace_cb_register
5883
58846 April 2017: Wouter
5885	- Small fixup for documentation.
5886	- iana portlist update
5887	- Fix respip for braces when locks arent used.
5888	- Fix pythonmod for cb changes.
5889
58904 April 2017: Wouter
5891	- Fix #1244: document that use of chroot requires trust anchor file to
5892	  be under chroot.
5893	- iana portlist update
5894
58953 April 2017: Ralph
5896	- Do not add current time twice to TTL before ECS cache store.
5897	- Do not touch rrset cache after ECS cache message generation.
5898	- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
5899
59003 April 2017: Wouter
5901	- Fix #1217: Add metrics to unbound-control interface showing
5902	  crypted, cert request, plaintext and malformed queries (from
5903	  Manu Bretelle).
5904	- iana portlist update
5905
590627 March 2017: Wouter
5907	- Remove (now unused) event2 include from dnscrypt code.
5908
590924 March 2017: George
5910	- Fix to prevent non-referral query from being cached as referral when
5911	  the no_cache_store flag was set.
5912
591323 March 2017: Wouter
5914	- Fix #1239: configure fails to find python distutils if python
5915	  prints warning.
5916
591722 March 2017: Wouter
5918	- Fix #1238: segmentation fault when adding through the remote
5919	  interface a per-view local zone to a view with no previous
5920	  (configured) local zones.
5921	- Fix #1229: Systemd service sandboxing, options in wrong sections.
5922
592321 March 2017: Ralph
5924	- Merge EDNS Client subnet implementation from feature branch into main
5925	  branch, using new EDNS processing framework.
5926
592721 March 2017: Wouter
5928	- Fix doxygen for dnscrypt files.
5929
593020 March 2017: Wouter
5931	- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
5932	  enabled in the config file from Manu Bretelle.
5933	- make depend, autoconf, remove warnings about statement before var.
5934	- lru_demote and lruhash_insert_or_retrieve functions for getdns.
5935	- fixup for lruhash (whitespace and header file comment).
5936	- dnscrypt tests.
5937
593817 March 2017: Wouter
5939	- Patch for view functionality for local-data-ptr from Björn Ketelaars.
5940	- Fix #1237 - Wrong resolving in chain, for norec queries that get
5941	  SERVFAIL returned.
5942
594316 March 2017: Wouter
5944	- Fix that SHM is not inited if not enabled.
5945	- Add trustanchor.unbound CH TXT that gets a response with a number
5946	  of TXT RRs with a string like "example.com. 2345 1234" with
5947	  the trust anchors and their keytags.
5948	- Fix that looped DNAMEs do not cause unbound to spend effort.
5949	- trustanchor tags are sorted.  reusable routine to fetch taglist.
5950
595113 March 2017: Wouter
5952	- testbound understands Deckard MATCH rcode question answer commands.
5953	- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
5954	  of YXDOMAIN + query loop, reported by Petr Spacek.
5955
595610 March 2017: Wouter
5957	- Fix #1234: shortening DNAME loop produces duplicate DNAME records
5958	  in ANSWER section.
5959
59609 March 2017: Wouter
5961	- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
5962	  DS records.  NSEC3 is not disabled.
5963	- fake-sha1 test option; print warning if used.  To make unit tests.
5964	- unbound-control list local zone and data commands listed in the
5965	  help output.
5966
59678 March 2017: Wouter
5968	- make depend for build dependencies.
5969	- swig version 2.0.1 required.
5970	- fix enum conversion warnings
5971
59727 March 2017: Wouter
5973	- Fix #1230: swig version 2.0.0 is required for pythonmod, with
5974	  1.3.40 it crashes when running repeatedly unbound-control reload.
5975	- Response actions based on IP address from Jinmei Tatuya (Infoblox).
5976
59776 March 2017: Wouter
5978	- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
5979	- iana portlist update
5980
598128 February 2017: Ralph
5982	- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
5983	  record.
5984
598528 February 2017: Wouter
5986	- For #1227: if we have sha256, set the cipher list to have no
5987	  known vulns.
5988
598927 February 2017: Wouter
5990	- Fix #1227: Fix that Unbound control allows weak ciphersuites.
5991	- Fix #1226: provide official 32bit binary for windows.
5992
599324 February 2017: Wouter
5994	- include sys/time.h for new shm code on NetBSD.
5995
599623 February 2017: Wouter
5997	- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
5998	  redirect.
5999	- Patch from Luiz Fernando Softov for Stats Shared Memory.
6000	- unbound-control stats_shm command prints stats using shared memory,
6001	  which uses less cpu.
6002	- make depend, autoconf, doxygen and lint fixed up.
6003
600422 February 2017: Wouter
6005	- Fix #1224: Fix that defaults should not fall back to "Program Files
6006	  (x86) if Unbound is 64bit by default on windows.
6007
600821 February 2017: Wouter
6009	- iana portlist update
6010
601116 February 2017: Wouter
6012	- sldns updated for vfixed and buffer resize indication from getdns.
6013
601415 February 2017: Wouter
6015	- sldns has ED25519 and ED448 algorithm number and name for display.
6016
601714 February 2017: Wouter
6018	- tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
6019
602013 February 2017: Wouter
6021	- Fix autoconf of systemd check for lack of pkg-config.
6022
602310 February 2017: Wouter
6024	- Fix pythonmod for typedef changes.
6025	- Fix dnstap for warning of set but not used.
6026	- tag 1.6.1rc2.
6027
60289 February 2017: Wouter
6029	- tag 1.6.1rc1.
6030
60318 February 2017: Wouter
6032	- Fix for type name change and fix warning on windows compile.
6033
60347 February 2017: Wouter
6035	- Include root trust anchor id 20326 in unbound-anchor.
6036
60376 February 2017: Wouter
6038	- Fix compile on solaris of the fix to use $host detect.
6039
60404 February 2017: Wouter
6041	- fix root_anchor test for updated icannbundle.pem lower certificates.
6042
604326 January 2017: Wouter
6044	- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
6045	  more helpful error message.
6046
604720 January 2017: Wouter
6048	- Increase MAX_MODULE to 16.
6049
605019 January 2017: Wouter
6051	- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
6052	  reserves _t typedefs.
6053	- Fix to rename internally used types from _t to _type, because _t
6054	  type names are reserved by POSIX.
6055	- iana portlist update
6056
605712 January 2017: Wouter
6058	- Fix to also block meta types 128 through to 248 with formerr.
6059	- Fix #1206: Some view-related commands are missing from 'unbound-control -h'
6060
60619 January 2017: Wouter
6062	- Fix #1202: Fix code comment that packed_rrset_data is not always
6063	  'packed'.
6064
60656 January 2017: Wouter
6066	- Fix #1201: Fix missing unlock in answer_from_cache error condition.
6067
60685 January 2017: Wouter
6069	- Fix to return formerr for queries for meta-types, to avoid
6070	  packet amplification if this meta-type is sent on to upstream.
6071	- Fix #1184: Log DNS replies. This includes the same logging
6072	  information that DNS queries and response code and response size,
6073	  patch from Larissa Feng.
6074	- Fix #1187: Source IP rate limiting, patch from Larissa Feng.
6075
60763 January 2017: Wouter
6077	- configure --enable-systemd and lets unbound use systemd sockets if
6078	  you enable use-systemd: yes in unbound.conf.
6079	  Also there are contrib/unbound.socket and contrib/unbound.service:
6080	  systemd files for unbound, install them in /usr/lib/systemd/system.
6081	  Contributed by Sami Kerola and Pavel Odintsov.
6082	- Fix reload chdir failure when also chrooted to that directory.
6083
60842 January 2017: Wouter
6085	- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
6086
608723 December 2016: Ralph
6088	- Fix #1190: Do not echo back EDNS options in local-zone error response.
6089	- iana portlist update
6090
609121 December 2016: Ralph
6092	- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
6093	  with Nettle
6094
609519 December 2016: Ralph
6096	- Fix #1191: remove comment about view deletion.
6097
609815 December 2016: Wouter
6099	- iana portlist update
6100	- 64bit is default for windows builds.
6101	- Fix inet_ntop and inet_pton warnings in windows compile.
6102
610314 December 2016: Wouter
6104	- Fix #1178: attempt to fix setup error at end, pop result values
6105	  at end of install.
6106
610713 December 2016: Wouter
6108	- Fix #1182: Fix Resource leak (socket), at startup.
6109	- Fix unbound-control and ipv6 only.
6110
61119 December 2016: Wouter
6112	- Fix #1176: stack size too small for Alpine Linux.
6113
61148 December 2016: Wouter
6115	- Fix downcast warnings from visual studio in sldns code.
6116	- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
6117
61187 December 2016: Ralph
6119	- Add DSA support for OpenSSL 1.1.0
6120	- Fix remote control without cert for LibreSSL
6121
61226 December 2016: George
6123	- Added generic EDNS code for registering known EDNS option codes,
6124	  bypassing the cache response stage and uniquifying mesh states. Four EDNS
6125	  option lists were added to module_qstate (module_qstate.edns_opts_*) to
6126	  store EDNS options from/to front/back side.
6127	- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
6128	  control the modules' cache interactions.
6129	- Added code for registering inplace callback functions. The registered
6130	  functions can be called just before replying with local data or Chaos,
6131	  replying from cache, replying with SERVFAIL, replying with a resolved
6132	  query, sending a query to a nameserver. The functions can inspect the
6133	  available data and maybe change response/query related data (i.e. append
6134	  EDNS options).
6135	- Updated Python module for the above.
6136	- Updated Python documentation.
6137
61385 December 2016: Ralph
6139	- Fix #1173: differ local-zone type deny from unset
6140	  tag_actions element.
6141
61425 December 2016: Wouter
6143	- Fix #1170: document that 'inform' local-zone uses local-data.
6144
61451 December 2016: Ralph
6146	- hyphen as minus fix, by Andreas Schulze
6147
614830 November 2016: Ralph
6149	- Added local-zones and local-data bulk addition and removal
6150	  functionality in unbound-control (local_zones, local_zones_remove,
6151	  local_datas and local_datas_remove).
6152	- iana portlist update
6153
615429 November 2016: Wouter
6155	- version 1.6.0 is in the development branch.
6156	- braces in view.c around lock statements.
6157
615828 November 2016: Wouter
6159	- new install-sh.
6160
616125 November 2016: Wouter
6162	- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
6163	  using no encryption over the unix socket.
6164
616522 November 2016: Ralph
6166	- Make access-control-tag-data RDATA absolute. This makes the RDATA
6167	  origin consistent between local-data and access-control-tag-data.
6168	- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
6169	  subdomain of the NSEC owner.
6170	- QNAME minimisation uses QTYPE=A, therefore always check cache for
6171	  this type in harden-below-nxdomain functionality.
6172	- Added unit test for QNAME minimisation + harden below nxdomain
6173	  synergy.
6174
617522 November 2016: Wouter
6176	- iana portlist update.
6177	- Fix unit tests for DS hash processing for fake-dsa test option.
6178	- patch from Dag-Erling Smorgrav that removes code that relies
6179	  on sbrk().
6180
618121 November 2016: Wouter
6182	- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
6183	  Underneath" for the harden-below-nxdomain option.
6184
618510 November 2016: Ralph
6186	- Fix #1155: test status code of unbound-control in 04-checkconf,
6187	  not the status code from the tee command.
6188
61894 November 2016: Ralph
6190	- Added stub-ssl-upstream and forward-ssl-upstream options.
6191
61924 November 2016: Wouter
6193	- configure detects ssl security level API function in the autoconf
6194	  manner.  Every function on its own, so that other libraries (eg.
6195	  LibreSSL) can develop their API without hindrance.
6196	- Fix #1154: segfault when reading config with duplicate zones.
6197	- Note that for harden-below-nxdomain the nxdomain must be secure,
6198	  this means nsec3 with optout is insufficient.
6199
62003 November 2016: Ralph
6201	- Set OpenSSL security level to 0 when using aNULL ciphers.
6202
62033 November 2016: Wouter
6204	- .gitattributes line for githubs code language display.
6205	- log-identity: config option to set sys log identity, patch from
6206	  "Robin H. Johnson" <robbat2@gentoo.org>
6207
62082 November 2016: Wouter
6209	- iana portlist update.
6210
621131 October 2016: Wouter
6212	- Fix failure to build on arm64 with no sbrk.
6213	- iana portlist update.
6214
621528 October 2016: Wouter
6216	- Patch for server.num.zero_ttl stats for count of expired replies,
6217	  from Pavel Odintsov.
6218
621926 October 2016: Wouter
6220	- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
6221	  with the undocumented switch 'fake-dsa'.  It logs a warning.
6222
622325 October 2016: Wouter
6224	- Fix #1134: unbound-control set_option -- val-override-date: -1 works
6225	  immediately to ignore datetime, or back to 0 to enable it again.
6226	  The -- is to ignore the '-1' as an option flag.
6227
622824 October 2016: Wouter
6229	- serve-expired config option: serve expired responses with TTL 0.
6230	- g.root-servers.net has AAAA address.
6231
623221 October 2016: Wouter
6233	- Ported tests for local_cname unit test to testbound framework.
6234
623520 October 2016: Wouter
6236	- suppress compile warning in lex files.
6237	- init lzt variable, for older gcc compiler warnings.
6238	- fix --enable-dsa to work, instead of copying ecdsa enable.
6239	- Fix DNSSEC validation of query type ANY with DNAME answers.
6240	- Fixup query_info local_alias init.
6241
624219 October 2016: Wouter
6243	- Fix #1130: whitespace in example.conf.in more consistent.
6244
624518 October 2016: Wouter
6246	- Patch that resolves CNAMEs entered in local-data conf statements that
6247	  point to data on the internet, from Jinmei Tatuya (Infoblox).
6248	- Removed patch comments from acllist.c and msgencode.c
6249	- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
6250	  from Jinmei Tatuya (Infoblox).
6251	- Fix #1125: unbound could reuse an answer packet incorrectly for
6252	  clients with different EDNS parameters, from Jinmei Tatuya.
6253	- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
6254	- Added Requires line to libunbound.pc
6255	- Please doxygen by modifying mesh.h
6256
625717 October 2016: Wouter
6258	- Re-fix #839 from view commit overwrite.
6259	- Fixup const void cast warning.
6260
626112 October 2016: Ralph
6262	- Free view config elements.
6263
626411 October 2016: Ralph
6265	- Added qname-minimisation-strict config option.
6266	- iana portlist update.
6267	- fix memoryleak logfile when in debug mode.
6268
62695 October 2016: Ralph
6270	- Added views functionality.
6271	- Fix #1117: spelling errors, from Robert Edmonds.
6272
627330 September 2016: Wouter
6274	- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
6275
627629 September 2016: Wouter
6277	- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
6278	- Fix #839: Memory grows unexpectedly with large RPZ files.
6279	- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
6280	- Fix #841: big local-zone's make it consume large amounts of memory.
6281
628227 September 2016: Wouter
6283	- tag for 1.5.10 release
6284	- trunk contains 1.5.11 in development.
6285	- Fix dnstap relaying "random" messages instead of resolver/forwarder
6286	  responses, from Nikolay Edigaryev.
6287	- Fix #836: unbound could echo back EDNS options in an error response.
6288
628920 September 2016: Wouter
6290	- iana portlist update.
6291	- Fix #835: fix --disable-dsa with nettle verify.
6292	- tag for 1.5.10rc1 release.
6293
629415 September 2016: Wouter
6295	- Fix 883: error for duplicate local zone entry.
6296	- Test for openssl init_crypto and init_ssl functions.
6297
629815 September 2016: Ralph
6299	- fix potential memory leak in daemon/remote.c and nullpointer
6300	  dereference in validator/autotrust.
6301	- iana portlist update.
6302
630313 September 2016: Wouter
6304	- Silenced flex-generated sign-unsigned warning print with gcc
6305	  diagnostic pragma.
6306	- Fix for new splint on FreeBSD.  Fix cast for sockaddr_un.sun_len.
6307
63089 September 2016: Wouter
6309	- Fix #831: workaround for spurious fread_chk warning against petal.c
6310
63115 September 2016: Ralph
6312	- Take configured minimum TTL into consideration when reducing TTL
6313	  to original TTL from RRSIG.
6314
63155 September 2016: Wouter
6316	- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
6317	  off-by-one typo, from Jinmei Tatuya (Infoblox).
6318	- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
6319	- Fix #828: missing type in access-control-tag-action redirect results
6320	  in NXDOMAIN.
6321
63222 September 2016: Wouter
6323	- Fix compile with openssl 1.1.0 with api=1.1.0.
6324
63251 September 2016: Wouter
6326	- RFC 7958 is now out, updated docs for unbound-anchor.
6327	- Fix for compile without warnings with openssl 1.1.0.
6328	- Fix #826: Fix refuse_non_local could result in a broken response.
6329	- iana portlist update.
6330
633129 August 2016: Wouter
6332	- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
6333	  Siewior.
6334	- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
6335
633625 August 2016: Ralph
6337	- Clarify local-zone-override entry in unbound.conf.5
6338
633925 August 2016: Wouter
6340	- 64bit build option for makedist windows compile, -w64.
6341
634224 August 2016: Ralph
6343	- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
6344	  in each iteration in find_tag_datas().
6345	- unbound.conf.5 entries for define-tag, access-control-tag,
6346	  access-control-tag-action, access-control-tag-data, local-zone-tag,
6347	  and local-zone-override.
6348
634923 August 2016: Wouter
6350	- Fix #804: unbound stops responding after outage.  Fixes queries
6351	  that attempt to wait for an empty list of subqueries.
6352	- Fix #804: lower num_target_queries for iterator also for failed
6353	  lookups.
6354
63558 August 2016: Wouter
6356	- Note that OPENPGPKEY type is RFC 7929.
6357
63584 August 2016: Wouter
6359	- Fix #807: workaround for possible some "unused" function parameters
6360	  in test code, from Jinmei Tatuya.
6361
63623 August 2016: Wouter
6363	- use sendmsg instead of sendto for TFO.
6364
636528 July 2016: Wouter
6366	- Fix #806: wrong comment removed.
6367
636826 July 2016: Wouter
6369	- nicer ratelimit-below-domain explanation.
6370
637122 July 2016: Wouter
6372	- Fix #801: missing error condition handling in
6373	  daemon_create_workers().
6374	- Fix #802: workaround for function parameters that are "unused"
6375	  without log_assert.
6376	- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
6377
637820 July 2016: Wouter
6379	- Fix typo in unbound.conf.
6380
638118 July 2016: Wouter
6382	- Fix #798: Client-side TCP fast open fails (Linux).
6383
638414 July 2016: Wouter
6385	- TCP Fast open patch from Sara Dickinson.
6386	- Fixed unbound.doxygen for 1.8.11.
6387
63887 July 2016: Wouter
6389	- access-control-tag-data implemented. verbose(4) prints tag debug.
6390
63915 July 2016: Wouter
6392	- Fix dynamic link of anchor-update.exe on windows.
6393	- Fix detect of mingw for MXE package build.
6394	- Fixes for 64bit windows compile.
6395	- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
6396	  --with-libunbound-only --with-nettle.
6397
63984 July 2016: Wouter
6399	- For #787: prefer-ip6 option for unbound.conf prefers to send
6400	  upstream queries to ipv6 servers.
6401	- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
6402	  freebind to use 64bits of entropy for every query with random local
6403	  part.
6404
640530 June 2016: Wouter
6406	- Document always_transparent, always_refuse, always_nxdomain types.
6407
640829 June 2016: Wouter
6409	- Fix static compile on windows missing gdi32.
6410
641128 June 2016: Wouter
6412	- Create a pkg-config file for libunbound in contrib.
6413
641427 June 2016: Wouter
6415	- Fix #784: Build configure assumess that having getpwnam means there
6416	  is endpwent function available.
6417	- Updated repository with newer flex and bison output.
6418
641924 June 2016: Ralph
6420	- Possibility to specify local-zone type for an acl/tag pair
6421	- Possibility to specify (override) local-zone type for a source address
6422	  block
642316 June 2016: Ralph
6424	- Decrease dp attempts at each QNAME minimisation iteration
6425
642616 June 2016: Wouter
6427	- Fix tcp timeouts in tv.usec.
6428
642915 June 2016: Wouter
6430	- TCP_TIMEOUT is specified in milliseconds.
6431	- If more than half of tcp connections are in use, a shorter timeout
6432	  is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
6433
643414 June 2016: Ralph
6435	- QNAME minimisation unit test for dropped QTYPE=A queries.
6436
643714 June 2016: Wouter
6438	- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
6439	  null delete for wsaevent.
6440	- Fix spelling in freebind option man page text.
6441	- Fix windows link of ssl with crypt32.
6442	- Fix 779: Union casting is non-portable.
6443	- Fix 780: MAP_ANON not defined in HP-UX 11.31.
6444	- Fix 781: prealloc() is an HP-UX system library call.
6445
644613 June 2016: Ralph
6447	- Use QTYPE=A for QNAME minimisation.
6448	- Keep track of number of time-outs when performing QNAME minimisation.
6449	  Stop minimising when number of time-outs for a QNAME/QTYPE pair is
6450	  more than three.
6451
645213 June 2016: Wouter
6453	- Fix #778: unbound 1.5.9: -h segfault (null deref).
6454	- Fix directory: fix for unbound-checkconf, it restores cwd.
6455
645610 June 2016: Wouter
6457	- And delete service.conf.shipped on uninstall.
6458	- In unbound.conf directory: dir immediately changes to that directory,
6459	  so that include: file below that is relative to that directory.
6460	  With chroot, make the directory an absolute path inside chroot.
6461	- keep debug symbols in windows build.
6462	- do not delete service.conf on windows uninstall.
6463	- document directory immediate fix and allow EXECUTABLE syntax in it
6464	  on windows.
6465
64669 June 2016: Wouter
6467	- Trunk is called 1.5.10 (with previous fixes already in there to 2
6468	  june).
6469	- Revert fix for NetworkService account on windows due to breakage
6470	  it causes.
6471	- Fix that windows install will not overwrite existing service.conf
6472	  file (and ignore gui config choices if it exists).
6473
64747 June 2016: Ralph
6475	- Lookup localzones by taglist from acl.
6476	- Possibility to lookup local_zone, regardless the taglist.
6477	- Added local_zone/taglist/acl unit test.
6478
64797 June 2016: Wouter
6480	- Fix #773: Non-standard Python location build failure with pyunbound.
6481	- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6482
64836 June 2016: Wouter
6484	- Better help text from -h (from Ray Griffith).
6485	- access-control-tag config directive.
6486	- local-zone-override config directive.
6487	- access-control-tag-action and access-control-tag-data config
6488	  directives.
6489	- free acl-tags, acltag-action and acltag-data config lists during
6490	  initialisation to free up memory for more entries.
6491
64923 June 2016: Wouter
6493	- Fix to not ignore return value of chown() in daemon startup.
6494
64952 June 2016: Wouter
6496	- Fix libubound for edns optlist feature.
6497	- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
6498	- Fix #752: retry resource temporarily unavailable on control pipe.
6499	- un-document localzone tags.
6500	- tag for release 1.5.9rc1.
6501	  And this also became release 1.5.9.
6502	- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
6503	  Program Files with (x86) appended.
6504	- re-documented localzone tags in example.conf.
6505
650631 May 2016: Wouter
6507	- Fix windows service to be created run with limited rights, as a
6508	  network service account, from Mario Turschmann.
6509	- compat strsep implementation.
6510	- generic edns option parse and store code.
6511	- and also generic edns options for upstream messages (and replies).
6512	  after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
6513	  to insert use edns_opt_append(edns, region, code, len, bindata) on
6514	  the opt_list passed to send_query, or in edns_opt_inplace_reply.
6515
651630 May 2016: Wouter
6517	- Fix time in case answer comes from cache in ub_resolve_event().
6518	- Attempted fix for #765: _unboundmodule missing for python3.
6519
652027 May 2016: Wouter
6521	- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
6522	  if unbound control uses a unix local named pipe.
6523	- Document write permission to directory of trust anchor needed.
6524	- Fix #768:  Unbound Service Sometimes Can Not Shutdown
6525	  Completely, WER Report Shown Up.  Close handle before closing WSA.
6526
652726 May 2016: Wouter
6528	- Updated patch from Charles Walker.
6529
653024 May 2016: Wouter
6531	- disable-dnssec-lame-check config option from Charles Walker.
6532	- remove memory leak from lame-check patch.
6533	- iana portlist update.
6534
653523 May 2016: Wouter
6536	- Fix #767:  Reference to an expired Internet-Draft in
6537	  harden-below-nxdomain documentation.
6538
653920 May 2016: Ralph
6540	- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
6541	  signed zones.
6542	- iana portlist update.
6543
654419 May 2016: Wouter
6545	- Fix #766: dns64 should synthesize results on timeout/errors.
6546
654718 May 2016: Wouter
6548	- Fix #761: DNSSEC LAME false positive resolving nic.club.
6549
655017 May 2016: Wouter
6551	- trunk updated with output of flex 2.6.0.
6552
65536 May 2016: Wouter
6554	- Fix memory leak in out-of-memory conditions of local zone add.
6555
655629 April 2016: Wouter
6557	- Fix sldns with static checking fixes copied from getdns.
6558
655928 April 2016: Wouter
6560	- Fix #759: 0x20 capsforid no longer checks type PTR, for
6561	  compatibility with cisco dns guard.  This lowers false positives.
6562
656318 April 2016: Wouter
6564	- Fix some malformed responses to edns queries get fallback to nonedns.
6565
656615 April 2016: Wouter
6567	- cachedb module event handling design.
6568
656914 April 2016: Wouter
6570	- cachedb module framework (empty).
6571	- iana portlist update.
6572
657312 April 2016: Wouter
6574	- Fix #753: document dump_requestlist is for first thread.
6575
657624 March 2016: Wouter
6577	- Document permit-small-holddown for 5011 debug.
6578	- Fix #749: unbound-checkconf gets SIGSEGV when use against a
6579	  malformatted conf file.
6580
658123 March 2016: Wouter
6582	- OpenSSL 1.1.0 portability, --disable-dsa configure option.
6583
658421 March 2016: Wouter
6585	- Fix compile of getentropy_linux for SLES11 servicepack 4.
6586	- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
6587	- Fix test for openssl to use HMAC_Update for 1.1.0.
6588	- acx_nlnetlabs.m4 to v33, with HMAC_Update.
6589	- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
6590	- ERR_remove_state deprecated since openssl 1.0.0.
6591	- OPENSSL_config is deprecated, removing.
6592
659318 March 2016: Ralph
6594	- Validate QNAME minimised NXDOMAIN responses.
6595	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
6596	  harden-below-nxdomain.
6597
659817 March 2016: Ralph
6599	- Limit number of QNAME minimisation iterations.
6600
660117 March 2016: Wouter
6602	- Fix #746: Fix unbound sets CD bit on all forwards.
6603	  If no trust anchors, it'll not set CD bit when forwarding to another
6604	  server.  If a trust anchor, no CD bit on the first attempt to a
6605	  forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
6606	- iana portlist update.
6607
660816 March 2016: Wouter
6609	- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
6610	- Fix ip-transparent for tcp on freebsd.
6611
661215 March 2016: Wouter
6613	- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
6614	  binding to an IP address while the interface or address is down.
6615
661614 March 2016: Wouter
6617	- Fix warnings in ifdef corner case, older or unknown libevent.
6618	- Fix compile for ub_event code with older libev.
6619
662011 March 2016: Wouter
6621	- Remove warning about unused parameter in event_pluggable.c.
6622	- Fix libev usage of dispatch return value.
6623	- No side effects in tolower() call, in case it is a macro.
6624	- For test put free in pluggable api in parenthesis.
6625
662610 March 2016: Wouter
6627	- Fixup backend2str for libev.
6628
662909 March 2016: Willem
6630	- User defined pluggable event API for libunbound
6631	- Fixup of compile fix for pluggable event API from P.Y. Adi
6632	  Prasaja.
6633
663409 March 2016: Wouter
6635	- Updated configure and ltmain.sh.
6636	- Updated L root IPv6 address.
6637
663807 March 2016: Wouter
6639	- Fix #747: assert in outnet_serviced_query_stop.
6640	- iana ports fetched via https.
6641	- iana portlist update.
6642
664303 March 2016: Wouter
6644	- configure tests for the weak attribute support by the compiler.
6645
664602 March 2016: Wouter
6647	- 1.5.8 release tag
6648	- trunk contains 1.5.9 in development.
6649	- iana portlist update.
6650	- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
6651	  contains trailing dot.
6652
665324 February 2016: Wouter
6654	- Fix OpenBSD asynclook lock free that gets used later (fix test code).
6655	- Fix that NSEC3 negative cache is used when there is no salt.
6656
665723 February 2016: Wouter
6658	- ub_ctx_set_stub() function for libunbound to config stub zones.
6659	- sorted ubsyms.def file with exported libunbound functions.
6660
666119 February 2016: Wouter
6662	- Print understandable debug log when unusable DS record is seen.
6663	- load gost algorithm if digest is seen before key algorithm.
6664	- iana portlist update.
6665
666617 February 2016: Wouter
6667	- Fix that "make install" fails due to "text file busy" error.
6668
666916 February 2016: Wouter
6670	- Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
6671
667215 February 2016: Wouter
6673	- ip-transparent option for FreeBSD with IP_BINDANY socket option.
6674	- wait for sendto to drain socket buffers when they are full.
6675
66769 February 2016: Wouter
6677	- Test for type OPENPGPKEY.
6678	- insecure-lan-zones: yesno config option, patch from Dag-Erling
6679	  Smørgrav.
6680
66818 February 2016: Wouter
6682	- Fix patch typo in prevuous commit for 734 from Adi Prasaja.
6683	- RR Type CSYNC support RFC 7477, in debug printout and config input.
6684	- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
6685
668629 January 2016: Wouter
6687	- Neater cmdline_verbose increment patch from Edgar Pettijohn.
6688
668927 January 2016: Wouter
6690	- Made netbsd sendmsg test nonfatal, in case of false positives.
6691	- Fix #741: log message for dnstap socket connection is more clear.
6692
669326 January 2016: Wouter
6694	- Fix #734: chown the pidfile if it resides inside the chroot.
6695	- Use arc4random instead of random in tests (because it is
6696	  available, possibly as compat, anyway).
6697	- Fix cmsg alignment for argument to sendmsg on NetBSD.
6698	- Fix that unbound complains about unimplemented IP_PKTINFO for
6699	  sendmsg on NetBSD (for interface-automatic).
6700
670125 January 2016: Wouter
6702	- Fix #738: Swig should not be invoked with CPPFLAGS.
6703
670419 January 2016: Wouter
6705	- Squelch 'cannot assign requested address' log messages unless
6706	  verbosity is high, it was spammed after network down.
6707
670814 January 2016: Wouter
6709	- Fix to simplify empty string checking from Michael McConville.
6710	- iana portlist update.
6711
671212 January 2016: Wouter
6713	- Fix #734: Do not log an error when the PID file cannot be chown'ed.
6714	  Patch from Simon Deziel.
6715
671611 January 2016: Wouter
6717	- Fix test if -pthreads unused to use better grep for portability.
6718
671906 January 2016: Wouter
6720	- Fix mingw crosscompile for recent mingw.
6721	- Update aclocal, autoconf output with new versions (1.15, 2.4.6).
6722
672305 January 2016: Wouter
6724	- #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
6725	  from Daisuke Higashi.
6726	- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
6727	  by default, and can be unblocked with "nodefault" localzone config.
6728
672904 January 2016: Wouter
6730	- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
6731	  for Linux glibc 2.20.
6732	- Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
6733	  source code, so it applies cleanly again.  Removed unused variable
6734	  warnings.
6735
673615 December 2015: Ralph
6737	- Fix #729: omit use of escape sequences in echo since they are not
6738	  portable (unbound-control-setup).
6739
674011 December 2015: Wouter
6741	- remove NULL-checks before free, patch from Michael McConville.
6742	- updated ax_pthread.m4 to version 21 with clang support, this
6743	  removes a warning from compilation.
6744	- OSX portability, detect if sbrk is deprecated.
6745	- OSX clang, stop -pthread unused during link stage warnings.
6746	- OSX clang new flto check.
6747
674810 December 2015: Wouter
6749	- 1.5.7 release
6750	- trunk has 1.5.8 in development.
6751
67528 December 2015: Wouter
6753	- Fixup 724 for unbound-control.
6754
67557 December 2015: Ralph
6756	- Do not minimise forwarded requests.
6757
67584 December 2015: Wouter
6759	- Removed unneeded whitespace from example.conf.
6760
67613 December 2015: Ralph
6762	- (after rc1 tag)
6763	- Committed fix to qname minimisation and unit test case for it.
6764
67653 December 2015: Wouter
6766	- iana portlist update.
6767	- 1.5.7rc1 prerelease tag.
6768
67692 December 2015: Wouter
6770	- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
6771	  re-enable stdout printout.
6772	- For 724: Add Changelog to windows binary dist.
6773
67741 December 2015: Ralph
6775	- Qname minimisation review fixes
6776
67771 December 2015: Wouter
6778	- Fixup 724 fix for fname_after_chroot() calls.
6779	- Remove stdout printout for unbound-service-install.exe
6780	- .gitignore for git users.
6781
678230 November 2015: Ralph
6783	- Implemented qname minimisation
6784
678530 November 2015: Wouter
6786	- Fix for #724: conf syntax to read files from run dir (on Windows).
6787
678825 November 2015: Wouter
6789	- Fix for #720, fix unbound-control-setup windows batch file.
6790
679124 November 2015: Wouter
6792	- Fix #720: add windows scripts to zip bundle.
6793	- iana portlist update.
6794
679520 November 2015: Wouter
6796	- Added assert on rrset cache correctness.
6797	- Fix that malformed EDNS query gets a response without malformed EDNS.
6798
679918 November 2015: Wouter
6800	- newer acx_nlnetlabs.m4.
6801	- spelling fixes from Igor Sobrado Delgado.
6802
680317 November 2015: Wouter
6804	- Fix #594. libunbound: optionally use libnettle for crypto.
6805	  Contributed by Luca Bruno.  Added --with-nettle for use with
6806	  --with-libunbound-only.
6807	- refactor nsec3 hash implementation to be more library-portable.
6808	- iana portlist update.
6809	- Fixup DER encoded DSA signatures for libnettle.
6810
681116 November 2015: Wouter
6812	- Fix for lenient accept of reverse order DNAME and CNAME.
6813
68146 November 2015: Wouter
6815	- Change example.conf: ftp.internic.net to https://www.internic.net
6816
68175 November 2015: Wouter
6818	- ACX_SSL_CHECKS no longer adds -ldl needlessly.
6819
68203 November 2015: Wouter
6821	- Fix #718: Fix unbound-control-setup with support for env
6822	  without HEREDOC bash support.
6823
682429 October 2015: Wouter
6825	- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
6826	- Fix #716: nodata proof with empty non-terminals and wildcards.
6827
682828 October 2015: Wouter
6829	- Fix checklock testcode for linux threads on exit.
6830
683127 October 2015: Wouter
6832	- isblank() compat implementation.
6833	- detect libexpat without xml_StopParser function.
6834	- portability fixes.
6835	- portability, replace snprintf if return value broken.
6836
683723 October 2015: Wouter
6838	- Fix #714: Document config to block private-address for IPv4
6839	  mapped IPv6 addresses.
6840
684122 October 2015: Wouter
6842	- Fix #712: unbound-anchor appears to not fsync root.key.
6843
684420 October 2015: Wouter
6845	- 1.5.6 release.
6846	- trunk tracks development of 1.5.7.
6847
684815 October 2015: Wouter
6849	- Fix segfault in the dns64 module in the formaterror error path.
6850	- Fix sldns_wire2str_rdata_scan for malformed RRs.
6851	- tag for 1.5.6rc1 release.
6852
685314 October 2015: Wouter
6854	- ANY responses include DNAME records if present, as per Evan Hunt's
6855	  remark in dnsop.
6856	- Fix manpage to suggest using SIGTERM to terminate the server.
6857
68589 October 2015: Wouter
6859	- Default for ssl-port is port 853, the temporary port assignment
6860	  for secure domain name system traffic.
6861	  If you used to rely on the older default of port 443, you have
6862	  to put a clause in unbound.conf for that.  The new value is likely
6863	  going to be the standardised port number for this traffic.
6864	- iana portlist update.
6865
68666 October 2015: Wouter
6867	- 1.5.5 release.
6868	- trunk tracks the development of 1.5.6.
6869
687028 September 2015: Wouter
6871	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
6872	  failures.
6873	- tag for 1.5.5rc1 release.
6874	- makedist.sh: pgp sig echo commands.
6875
687625 September 2015: Wouter
6877	- Fix unbound-control flush that does not succeed in removing data.
6878
687922 September 2015: Wouter
6880	- Fix config globbed include chroot treatment, this fixes reload of
6881	  globs (patch from Dag-Erling Smørgrav).
6882	- iana portlist update.
6883	- Fix #702: New IPs for for h.root-servers.net.
6884	- Remove confusion comment from canonical_compare() function.
6885	- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
6886	- testbound selftest also works in non-debug mode.
6887	- Fix minor error in unbound.conf.5.in
6888	- Fix unbound.conf(5) access-control description for precedence
6889	  and default.
6890
689131 August 2015: Wouter
6892	- changed windows setup compression to be more transparent.
6893
689428 August 2015: Wouter
6895	- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
6896	  2.4 to 2.6.
6897	- Feature #699: --enable-pie option to that builds PIE binary.
6898	- Feature #700: --enable-relro-now option that enables full read-only
6899	  relocation.
6900
690124 August 2015: Wouter
6902	- Fix deadlock for local data add and zone add when unbound-control
6903	  list_local_data printout is interrupted.
6904	- iana portlist update.
6905	- Change default of harden-algo-downgrade to off.  This is lenient
6906	  for algorithm rollover.
6907
690813 August 2015: Wouter
6909	- 5011 implementation does not insist on all algorithms, when
6910	  harden-algo-downgrade is turned off.
6911	- Reap the child process that libunbound spawns.
6912
691311 August 2015: Wouter
6914	- Fix #694: configure script does not detect LibreSSL 2.2.2
6915
69164 August 2015: Wouter
6917	- Document that local-zone nodefault matches exactly and transparent
6918	  can be used to release a subzone.
6919
69203 August 2015: Wouter
6921	- Document in the manual more text about configuring locally served
6922	  zones.
6923	- Fix 5011 anchor update timer after reload.
6924	- Fix mktime in unbound-anchor not using UTC.
6925
692630 July 2015: Wouter
6927	- please afl-gcc (llvm) for uninitialised variable warning.
6928	- Added permit-small-holddown config to debug fast 5011 rollover.
6929
693024 July 2015: Wouter
6931	- Fix #690: Reload fails when so-reuseport is yes after changing
6932	  num-threads.
6933	- iana portlist update.
6934
693521 July 2015: Wouter
6936	- Fix configure to detect SSL_CTX_set_ecdh_auto.
6937	- iana portlist update.
6938
693920 July 2015: Wouter
6940	- Enable ECDHE for servers.  Where available, use
6941	  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
6942	  enable ECDHE.  Otherwise, manually offer curve p256.
6943	  Client connections should automatically use ECDHE when available.
6944	  (thanks Daniel Kahn Gillmor)
6945
694618 July 2015: Willem
6947	- Allow certificate chain files to allow for intermediate certificates.
6948	  (thanks Daniel Kahn Gillmor)
6949
695013 July 2015: Wouter
6951	- makedist produces sha1 and sha256 files for created binaries too.
6952
69539 July 2015: Wouter
6954	- 1.5.4 release tag
6955	- trunk has 1.5.5 in development.
6956	- Fix #681: Setting forwarders with unbound-control forward
6957	  implicitly turns on forward-first.
6958
695929 June 2015: Wouter
6960	- iana portlist update.
6961	- Fix alloc with log for allocation size checks.
6962
696326 June 2015: Wouter
6964	- Fix #677 Fix DNAME responses from cache that failed internal chain
6965	  test.
6966	- iana portlist update.
6967
696822 June 2015: Wouter
6969	- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
6970	  and was therefore always synthesized (thanks to Valentin Dietrich).
6971
69724 June 2015: Wouter
6973	- RFC 7553 RR type URI support, is now enabled by default.
6974
69752 June 2015: Wouter
6976	- Fix #674: Do not free pointers given by getenv.
6977
697829 May 2015: Wouter
6979	- Fix that unparsable error responses are ratelimited.
6980	- SOA negative TTL is capped at minimumttl in its rdata section.
6981	- cache-max-negative-ttl config option, default 3600.
6982
698326 May 2015: Wouter
6984	- Document that ratelimit works with unbound-control set_option.
6985
698621 May 2015: Wouter
6987	- iana portlist update.
6988	- documentation proposes ratelimit of 1000 (closer to what upstream
6989	  servers expect from us).
6990
699120 May 2015: Wouter
6992	- DLV is going to be decommissioned.  Advice to stop using it, and
6993	  put text in the example configuration and man page to that effect.
6994
699510 May 2015: Wouter
6996	- Change syntax of particular validator error to be easier for
6997	  machine parse, swap rrset and ip address info so it looks like:
6998	  validation failure <www.example.nl. TXT IN>: signature crypto
6999	  failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
7000
70011 May 2015: Wouter
7002	- caps-whitelist in unbound.conf allows whitelist of loadbalancers
7003	  that cannot work with caps-for-id or its fallback.
7004
700530 April 2015: Wouter
7006	- Unit test for type ANY synthesis.
7007
700822 April 2015: Wouter
7009	- Removed contrib/unbound_unixsock.diff, because it has been
7010	  integrated, use control-interface: /path in unbound.conf.
7011	- iana portlist update.
7012
701317 April 2015: Wouter
7014	- Synthesize ANY responses from cache.  Does not search exhaustively,
7015	  but MX,A,AAAA,SOA,NS also CNAME.
7016	- Fix leaked dns64prefix configuration string.
7017
701816 April 2015: Wouter
7019	- Add local-zone type inform_deny, that logs query and drops answer.
7020	- Ratelimit does not apply to prefetched queries, and ratelimit-factor
7021	  is default 10.  Repeated normal queries get resolved and with
7022	  prefetch stay in the cache.
7023	- Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
7024	  Use print_function also for Python2.
7025	  libunbound examples: produce sorted output.
7026	  libunbound-Python: libldns is not used anymore.
7027	  Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
7028
702910 April 2015: Wouter
7030	- unbound-control ratelimit_list lists high rate domains.
7031	- ratelimit feature, ratelimit: 100, or some sensible qps, can be
7032	  used to turn it on.  It ratelimits recursion effort per zone.
7033	  For particular names you can configure exceptions in unbound.conf.
7034	- Fix that get_option for cache-sizes does not print double newline.
7035	- Fix#663: ssl handshake fails when using unix socket because dh size
7036	  is too small.
7037
70388 April 2015: Wouter
7039	- Fix crash in dnstap: Do not try to log TCP responses after timeout.
7040
70417 April 2015: Wouter
7042	- Libunbound skips dos-line-endings from etc/hosts.
7043	- Unbound exits with a fatal error when the auto-trust-anchor-file
7044	  fails to be writable.  This is seconds after startup.  You can
7045	  load a readonly auto-trust-anchor-file with trust-anchor-file.
7046	  The file has to be writable to notice the trust anchor change,
7047	  without it, a trust anchor change will be unnoticed and the system
7048	  will then become inoperable.
7049	- unbound-control list_insecure command shows the negative trust
7050	  anchors currently configured, patch from Jelte Jansen.
7051
70522 April 2015: Wouter
7053	- Fix #660: Fix interface-automatic broken in the presence of
7054	  asymmetric routing.
7055
705626 March 2015: Wouter
7057	- remote.c probedelay line is easier to read.
7058	- rename ldns subdirectory to sldns to avoid name collision.
7059
706025 March 2015: Wouter
7061	- Fix #657:  libunbound(3) recommends deprecated
7062	  CRYPTO_set_id_callback.
7063	- If unknown trust anchor algorithm, and libressl is used, error
7064	  message encourages upgrade of the libressl package.
7065
706623 March 2015: Wouter
7067	- Fix segfault on user not found at startup (from Maciej Soltysiak).
7068
706920 March 2015: Wouter
7070	- Fixed to add integer overflow checks on allocation (defense in depth).
7071
707219 March 2015: Wouter
7073	- Add ip-transparent config option for bind to non-local addresses.
7074
707517 March 2015: Wouter
7076	- Use reallocarray for integer overflow protection, patch submitted
7077	  by Loganaden Velvindron.
7078
707916 March 2015: Wouter
7080	- Fixup compile on cygwin, more portable openssl thread id.
7081
708212 March 2015: Wouter
7083	- Updated default keylength in unbound-control-setup to 3k.
7084
708510 March 2015: Wouter
7086	- Fix lintian warning in unbound-checkconf man page (from Andreas
7087	  Schulze).
7088	- print svnroot when building windows dist.
7089	- iana portlist update.
7090	- Fix warning on sign compare in getentropy_linux.
7091
70929 March 2015: Wouter
7093	- Fix #644: harden-algo-downgrade option, if turned off, fixes the
7094	  reported excessive validation failure when multiple algorithms
7095	  are present.  It allows the weakest algorithm to validate the zone.
7096	- iana portlist update.
7097
70985 March 2015: Wouter
7099	- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
7100	  scripts.  Contributed by Yuri Voinov.
7101	- Document that incoming-num-tcp increase is good for large servers.
7102	- stats reports tcp usage, of incoming-num-tcp buffers.
7103
71044 March 2015: Wouter
7105	- Patch from Brad Smith that syncs compat/getentropy_linux with
7106	  OpenBSD's version (2015-03-04).
7107	- 0x20 fallback improved: servfail responses do not count as missing
7108	  comparisons (except if all responses are errors),
7109	  inability to find nameservers does not fail equality comparisons,
7110	  many nameservers does not try to compare more than max-sent-count,
7111	  parse failures start 0x20 fallback procedure.
7112	- store caps_response with best response in case downgrade response
7113	  happens to be the last one.
7114	- Document windows 8 tests.
7115
71163 March 2015: Wouter
7117	- tag 1.5.3rc1
7118	[ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
7119
71202 March 2015: Wouter
7121	- iana portlist update.
7122
712320 February 2015: Wouter
7124	- Use the getrandom syscall introduced in Linux 3.17 (from Heiner
7125	  Kallweit).
7126	- Fix #645 Portability to Solaris 10, use AF_LOCAL.
7127	- Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
7128	- Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
7129	  reload.
7130
713119 February 2015: Wouter
7132	- 1.5.2 release tag.
7133	- svn trunk contains 1.5.3 under development.
7134
713513 February 2015: Wouter
7136	- Fix #643: doc/example.conf.in: unnecessary whitespace.
7137
713812 February 2015: Wouter
7139	- tag 1.5.2rc1
7140
714111 February 2015: Wouter
7142	- iana portlist update.
7143
714410 February 2015: Wouter
7145	- Fix scrubber with harden-glue turned off to reject NS (and other
7146	  not-address) records.
7147
71489 February 2015: Wouter
7149	- Fix validation failure in case upstream forwarder (ISC BIND) does
7150	  not have the same trust anchors and decides to insert unsigned NS
7151	  record in authority section.
7152
71532 February 2015: Wouter
7154	- infra-cache-min-rtt patch from Florian Riehm, for expected long
7155	  uplink roundtrip times.
7156
715730 January 2015: Wouter
7158	- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
7159	  section changes.
7160	- Portability fix for Solaris ('sun' is not usable for a variable).
7161
716229 January 2015: Wouter
7163	- Fix pyunbound byte string representation for python3.
7164
716526 January 2015: Wouter
7166	- Fix unintended use of gcc extension for incomplete enum types,
7167	  compile with pedantic c99 compliance (from Daniel Dickman).
7168
716923 January 2015: Wouter
7170	- windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
7171
717216 January 2015: Wouter
7173	- unit test for local unix connection.  Documentation and log_addr
7174	  does not inspect port for AF_LOCAL.
7175	- unbound-checkconf -f prints chroot with pidfile path.
7176
717713 January 2015: Wouter
7178	- iana portlist update.
7179
718012 January 2015: Wouter
7181	- Cast sun_len sizeof to socklen_t.
7182	- Fix pyunbound ord call, portable for python 2 and 3.
7183
71847 January 2015: Wouter
7185	- Fix warnings in pythonmod changes.
7186
71876 January 2015: Wouter
7188	- iana portlist update.
7189	- patch for remote control over local sockets, from Dag-Erling
7190	  Smorgrav, Ilya Bakulin.  Use control-interface: /path/sock and
7191	  control-use-cert: no.
7192	- Fixup that patch and uid lookup (only for daemon).
7193	- coded the default of control-use-cert, to yes.
7194
71955 January 2015: Wouter
7196	- getauxval test for ppc64 linux compatibility.
7197	- make strip works for unbound-host and unbound-anchor.
7198	- patch from Stephane Lapie that adds to the python API, that
7199	  exposes struct delegpt, and adds the find_delegation function.
7200	- print query name when max target count is exceeded.
7201	- patch from Stuart Henderson that fixes DESTDIR in
7202	  unbound-control-setup for installs where config is not in
7203	  the prefix location.
7204	- Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
7205	  IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
7206	- Updated contrib warmup.cmd/sh to support two modes - load
7207	  from pre-defined list of domains or (with filename as argument)
7208	  load from user-specified list of domains, and updated contrib
7209	  unbound_cache.sh/cmd to support loading/save/reload cache to/from
7210	  default path or (with secondary argument) arbitrary path/filename,
7211	  from Yuri Voinov.
7212	- Patch from Philip Paeps to contrib/unbound_munin_ that uses
7213	  type ABSOLUTE.  Allows munin.conf: [idleserver.example.net]
7214	  unbound_munin_hits.graph_period minute
7215
72169 December 2014: Wouter
7217	- svn trunk has 1.5.2 in development.
7218	- config.guess and config.sub update from libtoolize.
7219	- local-zone: example.com inform makes unbound log a message with
7220	  client IP for queries in that zone.  Eg. for finding infected hosts.
7221
72228 December 2014: Wouter
7223	- Fix CVE-2014-8602: denial of service by making resolver chase
7224	  endless series of delegations.
7225
72261 December 2014: Wouter
7227	- Fix bug#632: unbound fails to build on AArch64, protects
7228	  getentropy compat code from calling sysctl if it is has been removed.
7229
723029 November 2014: Wouter
7231	- Add include to getentropy_linux.c, hopefully fixing debian build.
7232
723328 November 2014: Wouter
7234	- Fix makefile for build from noexec source tree.
7235
723626 November 2014: Wouter
7237	- Fix libunbound undefined symbol errors for main.
7238	  Referencing main does not seem to be possible for libunbound.
7239
724024 November 2014: Wouter
7241	- Fix log at high verbosity and memory allocation failure.
7242	- iana portlist update.
7243
724421 November 2014: Wouter
7245	- Fix crash on multiple thread random usage on systems without
7246	  arc4random.
7247
724820 November 2014: Wouter
7249	- fix compat/getentropy_win.c check if CryptGenRandom works and no
7250	  immediate exit on windows.
7251
725219 November 2014: Wouter
7253	- Fix cdflag dns64 processing.
7254
725518 November 2014: Wouter
7256	- Fix that CD flag disables DNS64 processing, returning the DNSSEC
7257	  signed AAAA denial.
7258	- iana portlist update.
7259
726017 November 2014: Wouter
7261	- Fix #627: SSL_CTX_load_verify_locations return code not properly
7262	  checked.
7263
726414 November 2014: Wouter
7265	- parser with bison 2.7
7266
726713 November 2014: Wouter
7268	- Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
7269	added to contrib/aaaa-filter-iterator.patch.
7270
727112 November 2014: Wouter
7272	- trunk has 1.5.1 in development.
7273	- Patch from Robert Edmonds to build pyunbound python module
7274	  differently.  No versioninfo, with -shared and without $(LIBS).
7275	- Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
7276	- Removed 'increased limit open files' log message that is written
7277	  to console.  It is only written on verbosity 4 and higher.
7278	  This keeps system bootup console cleaner.
7279	- Patch from James Raftery, always print stats for rcodes 0..5.
7280
728111 November 2014: Wouter
7282	- iana portlist update.
7283	- Fix bug where forward or stub addresses with same address but
7284	  different port number were not tried.
7285	- version number in svn trunk is 1.5.0
7286	- tag 1.5.0rc1
7287	- review fix from Ralph.
7288
72897 November 2014: Wouter
7290	- dnstap fixes by Robert Edmonds:
7291		dnstap/dnstap.m4: cosmetic fixes
7292		dnstap/: Remove compiled protoc-c output files
7293		dnstap/dnstap.m4: Error out if required libraries are not found
7294		dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
7295			protobuf-c 1.0.0
7296		dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
7297
72984 November 2014: Wouter
7299	- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
7300	  tracked trust anchor to libunbound.
7301	- Redefine internal minievent symbols to unique symbols that helps
7302	  linking on platforms where the linker leaks names across modules.
7303
730427 October 2014: Wouter
7305	- Disabled use of SSLv3 in remote-control and ssl-upstream.
7306	- iana portlist update.
7307
730816 October 2014: Wouter
7309	- Documented dns64 configuration in unbound.conf man page.
7310
731113 October 2014: Wouter
7312	- Fix #617: in ldns in unbound, lowercase WKS services.
7313	- Fix ctype invocation casts.
7314
731510 October 2014: Wouter
7316	- Fix unbound-checkconf check for module config with dns64 module.
7317	- Fix unbound capsforid fallback, it ignores TTLs in comparison.
7318
73196 October 2014: Wouter
7320	- Fix #614: man page variable substitution bug.
73216 October 2014: Willem
7322	- Whitespaces after $ORIGIN are not part of the origin dname (ldns).
7323	- $TTL's value starts at position 5 (ldns).
7324
73251 October 2014: Wouter
7326	- fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
7327
732829 September 2014: Wouter
7329	- Fix #612: create service with service.conf in present directory and
7330	  auto load it.
7331	- Fix for mingw compile openssl ranlib.
7332
733325 September 2014: Wouter
7334	- updated configure and aclocal with newer autoconf 1.13.
7335
733622 September 2014: Wouter
7337	- Fix swig and python examples for Python 3.x.
7338	- Fix for mingw compile with openssl-1.0.1i.
7339
734019 September 2014: Wouter
7341	- improve python configuration detection to build on Fedora 22.
7342
734318 September 2014: Wouter
7344	- patches to also build with Python 3.x (from Pavel Simerda).
7345
734616 September 2014: Wouter
7347	- Fix tcp timer waiting list removal code.
7348	- iana portlist update.
7349	- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
7350	  is longer and more tcp connections can be handled.
7351
735215 September 2014: Wouter
7353	- Fix unit test for CDS typecode.
7354
73555 September 2014: Wouter
7356	- type CDS and CDNSKEY types in sldns.
7357
735825 August 2014: Wouter
7359	- Fixup checklock code for log lock and its mutual initialization
7360	  dependency.
7361	- iana portlist update.
7362	- Removed necessity for pkg-config from the dnstap.m4, new are
7363	  the --with-libfstrm and --with-protobuf-c configure options.
7364
736519 August 2014: Wouter
7366	- Update unbound manpage with more explanation (from Florian Obser).
7367
736818 August 2014: Wouter
7369	- Fix #603: unbound-checkconf -o <option> should skip verification
7370	  checks.
7371	- iana portlist update.
7372	- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
7373
73745 August 2014: Wouter
7375	- dnstap support, with a patch from Farsight Security, written by
7376	  Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
7377	  It is BSD licensed (see dnstap/dnstap.c).
7378	  Building with --enable-dnstap needs pkg-config with this patch.
7379	- Noted dnstap in doc/README and doc/CREDITS.
7380	- Changes to the dnstap patch.
7381	  - lint fixes.
7382	  - dnstap/dnstap_config.h should not have been added to the repo,
7383	    because is it generated.
7384
73851 August 2014: Wouter
7386	- Patch add msg, rrset, infra and key cache sizes to stats command
7387	  from Maciej Soltysiak.
7388	- iana portlist update.
7389
739031 July 2014: Wouter
7391	- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
7392	  Initial commit of the patch from the FreeBSD base (with its fixes).
7393	  This adds a module (for module-config in unbound.conf) dns64 that
7394	  performs DNS64 processing, see README.DNS64.
7395	- Changes from DNS64:
7396	  strcpy changed to memmove.
7397	  arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
7398	  allocation of result consistently in the correct region.
7399	  time_t is now used for ttl in unbound (since the patch's version).
7400	- testdata/dns64_lookup.rpl for unit test for dns64 functionality.
7401
740229 July 2014: Wouter
7403	- Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
7404	  does not fork in the background and also logs to stderr.
7405
740621 July 2014: Wouter
7407	- Fix endian.h include for OpenBSD.
7408
740916 July 2014: Wouter
7410	- And Fix#596: Bail out of unbound-control dump_infra when ssl
7411	  write fails.
7412
741315 July 2014: Wouter
7414	- Fix #596: Bail out of unbound-control list_local_zones when ssl
7415	  write fails.
7416	- iana portlist update.
7417
741813 July 2014: Wouter
7419	- Configure tests if main can be linked to from getentropy compat.
7420
742112 July 2014: Wouter
7422	- Fix getentropy compat code, function refs were not portable.
7423	- Fix to check openssl version number only for OpenSSL.
7424	- LibreSSL provides compat items, check for that in configure.
7425	- Fix bug in fix for log locks that caused deadlock in signal handler.
7426	- update compat/getentropy and arc4random to the most recent ones from OpenBSD.
7427
742811 July 2014: Matthijs
7429	- fake-rfc2553 patch (thanks Benjamin Baier).
7430
743111 July 2014: Wouter
7432	- arc4random in compat/ and getentropy, explicit_bzero, chacha for
7433	  dependencies, from OpenBSD.  arc4_lock and sha512 in compat.
7434	  This makes arc4random available on all platforms, except when
7435	  compiled with LIBNSS (it uses libNSS crypto random).
7436	- fix strptime implicit declaration error on OpenBSD.
7437	- arc4random, getentropy and explicit_bzero compat for Windows.
7438
74394 July 2014: Wouter
7440	- Fix #593: segfault or crash upon rotating logfile.
7441
74423 July 2014: Wouter
7443	- DLV tests added.
7444	- signit tool fixup for compile with libldns library.
7445	- iana portlist updated.
7446
744727 June 2014: Wouter
7448	- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
7449
745026 June 2014: Wouter
7451	- unbound-control status reports if so-reuseport was successful.
7452	- iana portlist updated.
7453
745424 June 2014: Wouter
7455	- Fix caps-for-id fallback, and added fallback attempt when servers
7456	  drop 0x20 perturbed queries.
7457	- Fixup testsetup for VM tests (run testcode/run_vm.sh).
7458
745917 June 2014: Wouter
7460	- iana portlist updated.
7461
74623 June 2014: Wouter
7463	- Add AAAA for B root server to default root hints.
7464
74652 June 2014: Wouter
7466	- Remove unused define from iterator.h
7467
746830 May 2014: Wouter
7469	- Fixup sldns_enum_edns_option typedef definition.
7470
747128 May 2014: Wouter
7472	- Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
7473	  fixes from FreeBSD's copy of Unbound, he notes:
7474	  Generate unbound-control-setup.sh at build time so it respects
7475	  prefix and sysconfdir from the configure script.  Also fix the
7476	  umask to match the comment, and the comment to match the umask.
7477	  Add const and static where needed.  Use unions instead of
7478	  playing pointer poker.  Move declarations that are needed in
7479	  multiple source files into a shared header.  Move sldns_bgetc()
7480	  from parse.c to buffer.c where it belongs.  Introduce a new
7481	  header file, worker.h, which declares the callbacks that
7482	  all workers must define.  Remove those declarations from
7483	  libworker.h.	Include the correct headers in the correct places.
7484	  Fix a few dummy callbacks that don't match their prototype.
7485	  Fix some casts.  Hide the sbrk madness behind #ifdef HAVE_SBRK.
7486	  Remove a useless printf which breaks reproducible builds.
7487	  Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
7488	  no longer used.  Add unbound-control-setup.sh to the list of
7489	  generated files.  The prototype for libworker_event_done_cb()
7490	  needs to be moved from libunbound/libworker.h to
7491	  libunbound/worker.h.
7492	- Fixup out-of-directory compile with unbound-control-setup.sh.in.
7493	- make depend.
7494
749523 May 2014: Wouter
7496	- unbound-host -D enabled dnssec and reads root trust anchor from
7497	  the default root key file that was compiled in.
7498
749920 May 2014: Wouter
7500	- Feature, unblock-lan-zones: yesno that you can use to make unbound
7501	  perform 10.0.0.0/8 and other reverse lookups normally, for use if
7502	  unbound is running service for localhost on localhost.
7503
750416 May 2014: Wouter
7505	- Updated create_unbound_ad_servers and unbound_cache scripts from
7506	  Yuri Voinov in the source/contrib directory. Added
7507	  warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
7508
75099 May 2014: Wouter
7510	- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
7511	- iana portlist updated.
7512
75138 May 2014: Wouter
7514	- Contrib windows scripts from Yuri Voinov added to src/contrib:
7515	  create_unbound_ad_servers.cmd: enters anti-ad server lists.
7516	  unbound_cache.cmd: saves and loads the cache.
7517	- Added unbound-control-setup.cmd from Yuri Voinov to the windows
7518	  unbound distribution set.  It requires openssl installed in %PATH%.
7519
75206 May 2014: Wouter
7521	- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
7522
75235 May 2014: Wouter
7524	- More #567: remove : from output of stub and forward lists, this is
7525	  easier to parse.
7526
752729 April 2014: Wouter
7528	- iana portlist updated.
7529	- Add unbound-control flush_negative that flushed nxdomains, nodata,
7530	  and errors from the cache.  For dnssec-trigger and NetworkManager,
7531	  fixes cases where network changes have localdata that was already
7532	  negatively cached from the previous network.
7533
753423 April 2014: Wouter
7535	- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
7536	  if available on the OS, it gets entropy from the OS.
7537
753815 April 2014: Wouter
7539	- Fix compile with libevent2 on FreeBSD.
7540
754111 April 2014: Wouter
7542	- Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
7543	  but it stops the use of the ipv6 transport layer for DNS traffic.
7544	- iana portlist updated.
7545
754610 April 2014: Wouter
7547	- iana portlist updated.
7548	- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
7549	  option for DNS fragmentation defense.
7550	- Document that dump_requestlist only prints queries from thread 0.
7551	- unbound-control stats prints num.query.tcpout with number of TCP
7552	  outgoing queries made in the previous statistics interval.
7553	- Fix #567: unbound lists if forward zone is secure or insecure with
7554	  +i annotation in output of list_forwards, also for list_stubs
7555	  (for NetworkManager integration.)
7556	- Fix #554: use unsigned long to print 64bit statistics counters on
7557	  64bit systems.
7558	- Fix #558: failed prefetch lookup does not remove cached response
7559	  but delays next prefetch (in lieu of caching a SERVFAIL).
7560	- Fix #545: improved logging, the ip address of the error is printed
7561	  on the same log-line as the error.
7562
75638 April 2014: Wouter
7564	- Fix #574: make test fails on Ubuntu 14.04.  Disabled remote-control
7565	  in testbound scripts.
7566	- iana portlist updated.
7567
75687 April 2014: Wouter
7569	- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
7570	  hints (patch from Anand Buddhdev).
7571	- Fix #572: Fix unit test failure for systems with different
7572	  /etc/services.
7573
757428 March 2014: Wouter
7575	- Fix #569: do_tcp is do-tcp in unbound.conf man page.
7576
757725 March 2014: Wouter
7578	- Patch from Stuart Henderson to build unbound-host man from .1.in.
7579
758024 March 2014: Wouter
7581	- Fix print filename of encompassing config file on read failure.
7582
758312 March 2014: Wouter
7584	- tag 1.4.22
7585	- trunk has 1.4.23 in development.
7586
758710 March 2014: Wouter
7588	- Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
7589	  because of spelling.  Patch from Chris Coates.
7590
759127 February 2014: Wouter
7592	- tag 1.4.22rc1
7593
759421 February 2014: Wouter
7595	- iana portlist updated.
7596
759720 February 2014: Matthijs
7598	- Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
7599	  received. This is okay according 4035, but not after revising
7600	  existence in 4592.  NSEC empty non-terminals exist and thus the
7601	  RCODE should have been NOERROR. If this occurs, and the RRsets
7602	  are secure, we set the RCODE to NOERROR and the security status
7603	  of the response is also considered secure.
7604
760514 February 2014: Wouter
7606	- Works on Minix (3.2.1).
7607
760811 February 2014: Wouter
7609	- Fix parse of #553(NSD) string in sldns, quotes without spaces.
7610
76117 February 2014: Wouter
7612	- iana portlist updated.
7613	- add body to ifstatement if locks disabled.
7614	- add TXT string"string" test case to unit test.
7615	- Fix #551: License change "Regents" to "Copyright holder", matching
7616	  the BSD license on opensource.org.
7617
76186 February 2014: Wouter
7619	- sldns has type HIP.
7620	- code documentation on the module interface.
7621
76225 February 2014: Wouter
7623	- Fix sldns parse tests on osx.
7624
76253 February 2014: Wouter
7626	- Detect libevent2 install automatically by configure.
7627	- Fixup link with lib/event2 subdir.
7628	- Fix parse in sldns of quoted parenthesized text strings.
7629
763031 January 2014: Wouter
7631	- unit test for ldns wire to str and back with zones, root, nlnetlabs
7632	  and types.sidnlabs.
7633	- Fix for hex to string in unknown, atma and nsap.
7634	- fixup nss compile (no ldns in it).
7635	- fixup warning in unitldns
7636	- fixup WKS and rdata type service to print unsigned because strings
7637	  are not portable; they cannot be read (for sure) on other computers.
7638	- fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
7639	  parse sldns.
7640
764130 January 2014: Wouter
7642	- delay-close does not act if there are udp-wait queries, so that
7643	  it does not make a socketdrain DoS easier.
7644
764528 January 2014: Wouter
7646	- iana portlist updated.
7647	- iana portlist test updated so it does not touch the source
7648	  if there are no changes.
7649	- delay-close: msec option that delays closing ports for which
7650	  the UDP reply has timed out.  Keeps the port open, only accepts
7651	  the correct reply.  This correct reply is not used, but the port
7652	  is open so that no port-denied ICMPs are generated.
7653
765427 January 2014: Wouter
7655	- reuseport is attempted, then fallback to without on failure.
7656
765724 January 2014: Wouter
7658	- Change unbound-event.h to use void* buffer, length idiom.
7659	- iana portlist updated.
7660	- unbound-event.h is installed if you configure --enable-event-api.
7661	- speed up unbound (reports say it could be up to 10%), by reducing
7662	  lock contention on localzones.lock.  It is changed to an rwlock.
7663	- so-reuseport: yesno option to distribute queries evenly over
7664	  threads on Linux (Thanks Robert Edmonds).
7665	- made lint clean.
7666
766721 January 2014: Wouter
7668	- Fix #547: no trustanchor written if filesystem full, fclose checked.
7669
767017 January 2014: Wouter
7671	- Fix isprint() portability in sldns, uses unsigned int.
7672	- iana portlist updated.
7673
767416 January 2014: Wouter
7675	- fix #544: Fixed +i causes segfault when running with module conf
7676	  "iterator".
7677	- Windows port, adjust %lld to %I64d, and warning in win_event.c.
7678
767914 January 2014: Wouter
7680	- iana portlist updated.
7681
76825 Dec 2013: Wouter
7683	- Fix bug in cachedump that uses sldns.
7684	- update pythonmod for ldns_ to sldns_ name change.
7685
76863 Dec 2013: Wouter
7687	- Fix sldns to use sldns_ prefix for all ldns_ variables.
7688	- Fix windows compile to compile with sldns.
7689
769030 Nov 2013: Wouter
7691	- Fix sldns to make globals use sldns_ prefix.  This fixes
7692	  linking with libldns that uses global variables ldns_ .
7693
769413 Nov 2013: Wouter
7695	- Fix bug#537: compile python plugin without ldns library.
7696
769712 Nov 2013: Wouter
7698	- Fix bug#536: acl_deny_non_local and refuse_non_local added.
7699
77005 Nov 2013: Wouter
7701	- Patch from Neel Goyal to fix async id assignment if callback
7702	  is called by libunbound in the mesh attach.
7703	- Accept ip-address: as an alternative for interface: for
7704	  consistency with nsd.conf syntax.
7705
77064 Nov 2013: Wouter
7707	- Patch from Neel Goyal to fix callback in libunbound.
7708
77093 Nov 2013: Wouter
7710	- if configured --with-libunbound-only fix make install.
7711
771231 Oct 2013: Wouter
7713	- Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
7714	  more specific interface port 53 can be used at the same time, and
7715	  one of the daemons is unbound.
7716	- iana portlist update.
7717	- separate ldns into core ldns inside ldns/ subdirectory.  No more
7718	  --with-ldns is needed and unbound does not rely on libldns.
7719	- portability fixes for new USE_SLDNS ldns subdir codebase.
7720
772122 Oct 2013: Wouter
7722	- Patch from Neel Goyal: Add an API call to set an event base on an
7723	  existing ub_ctx.  This basically just destroys the current worker and
7724	  sets the event base to the current.  And fix a deadlock in
7725	  ub_resolve_event – the cfglock is held when libworker_create is
7726	  called.  This ends up trying to acquire the lock again in
7727	  context_obtain_alloc in the call chain.
7728	- Fix #528: if very high logging (4 or more) segfault on allow_snoop.
7729
773026 Sep 2013: Wouter
7731	- unbound-event.h is installed if configured --with-libevent.  It
7732	  contains low-level library calls, that use libevent's event_base
7733	  and an ldns_buffer for the wire return packet to perform async
7734	  resolution in the client's eventloop.
7735
773619 Sep 2013: Wouter
7737	- 1.4.21 tag created.
7738	- trunk has 1.4.22 number inside it.
7739	- iana portlist updated.
7740	- acx_nlnetlabs.m4 to 26; improve FLTO help text.
7741
774216 Sep 2013: Wouter
7743	- Fix#524: max-udp-size not effective to non-EDNS0 queries, from
7744	  Daisuke HIGASHI.
7745
774610 Sep 2013: Wouter
7747	- MIN_TTL and MAX_TTL also in time_t.
7748	- tag 1.4.21rc1 made again.
7749
775026 Aug 2013: Wouter
7751	- More fixes for bug#519: for the threaded case test if the bg
7752	  thread has been killed, on ub_ctx_delete, to avoid hangs.
7753
775422 Aug 2013: Wouter
7755	- more fixes that I overlooked.
7756	- review fixes from Willem.
7757
775821 Aug 2013: Wouter
7759	- Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
7760
776120 Aug 2013: Wouter
7762	- Fix for 2038, with time_t instead of uint32_t.
7763
776419 Aug 2013: Wouter
7765	- Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
7766
776714 Aug 2013: Wouter
7768	- Fix uninit variable in fix#516.
7769
77708 Aug 2013: Wouter
7771	- Fix#516 dnssec lameness detection for answers that are improper.
7772
777330 Jun 2013: Wouter
7774	- tag 1.4.21rc1
7775
777629 Jun 2013: Wouter
7777	- Fix#512 memleak in testcode for testbound (if it fails).
7778	- Fix#512 NSS returned arrays out of setup function to be statics.
7779
778026 Jun 2013: Wouter
7781	- max include of 100.000 files (depth and globbed at one time).
7782	  This is to preserve system memory in bug cases, or endless cases.
7783	- iana portlist updated.
7784
778519 Jun 2013: Wouter
7786	- streamtcp man page, contributed by Tomas Hozza.
7787	- iana portlist updated.
7788	- libunbound documentation on how to avoid openssl race conditions.
7789
779025 Jun 2013: Wouter
7791	- Squelch sendto-permission denied errors when the network is
7792	  not connected, to avoid spamming syslog.
7793	- configure --disable-flto option (from Robert Edmonds).
7794
779518 Jun 2013: Wouter
7796	- Fix for const string literals in C++ for libunbound, from Karel
7797	  Slany.
7798	- iana portlist updated.
7799
780017 Jun 2013: Wouter
7801	- Fixup manpage syntax.
7802
780314 Jun 2013: Wouter
7804	- get_option and set_option support for log-time-ascii, python-script
7805	  val-sig-skew-min and val-sig-skew-max.  log-time-ascii takes effect
7806	  immediately.  The others are mostly useful for libunbound users.
7807
780813 Jun 2013: Wouter
7809	- get_option, set_option, unbound-checkconf -o and libunbound
7810	  getoption and setoption support cache-min-ttl and cache-max-ttl.
7811
781210 Jun 2013: Wouter
7813	- Fix#501: forward-first does not recurse, when forward name is ".".
7814	- iana portlist update.
7815	- Max include depth is unlimited.
7816
781727 May 2013: Wouter
7818	- Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
7819	  patch to it to not fail when -Werror is also specified, from the
7820	  autoconf-archives.
7821	- iana portlist update.
7822
782321 May 2013: Wouter
7824	- Explain bogus and secure flags in libunbound more.
7825
782616 May 2013: Wouter
7827	- Fix#499 use-after-free in out-of-memory handling code (thanks Jake
7828	  Montgomery).
7829	- Fix#500 use on non-initialised values on socket bind failures.
7830
783115 May 2013: Wouter
7832	- Fix round-robin doesn't work with some Windows clients (from Ilya
7833	  Bakulin).
7834
78353 May 2013: Wouter
7836	- update acx_nlnetlabs.m4 to v23, sleep w32 fix.
7837
783826 April 2013: Wouter
7839	- add unbound-control insecure_add and insecure_remove for the
7840	  administration of negative trust anchors.
7841
784225 April 2013: Wouter
7843	- Implement max-udp-size config option, default 4096 (thanks
7844	  Daisuke Higashi).
7845	- Robust checks on dname validity from rdata for dname compare.
7846	- updated iana portlist.
7847
784819 April 2013: Wouter
7849	- Fixup snprintf return value usage, fixed libunbound_get_option.
7850
785118 April 2013: Wouter
7852	- fix bug #491: pick program name (0th argument) as syslog identity.
7853	- own implementation of compat/snprintf.c.
7854
785515 April 2013: Wouter
7856	- Fix so that for a configuration line of include: "*.conf" it is not
7857	  an error if there are no files matching the glob pattern.
7858	- unbound-anchor review: BIO_write can return 0 successfully if it
7859	  has successfully appended a zero length string.
7860
786111 April 2013: Wouter
7862	- Fix queries leaking up for stubs and forwards, if the configured
7863	  nameservers all fail to answer.
7864
786510 April 2013: Wouter
7866	- code improve for minimal responses, small speed increase.
7867
78689 April 2013: Wouter
7869	- updated iana portlist.
7870	- Fix crash in previous private address fixup of 22 March.
7871
787228 March 2013: Wouter
7873	- Make reverse zones easier by documenting the nodefault statements
7874	  commented-out in the example config file.
7875
787626 March 2013: Wouter
7877	- more fixes to lookup3.c endianness detection.
7878
787925 March 2013: Wouter
7880	- #492: Fix endianness detection, revert to older lookup3.c detection
7881	  and put new detect lines after previous tests, to avoid regressions
7882	  but allow new detections to succeed.
7883	  And add detection for machine/endian.h to it.
7884
788522 March 2013: Wouter
7886	- Fix resolve of names that use a mix of public and private addresses.
7887	- iana portlist update.
7888	- Fix makedist for new svn for -d option.
7889	- unbound.h header file has UNBOUND_VERSION_MAJOR define.
7890	- Fix windows RSRC version for long version numbers.
7891
789221 March 2013: Wouter
7893	- release 1.4.20
7894	- trunk has 1.4.21
7895	- committed libunbound version 4:1:2 for binary API updated in 1.4.20
7896	- install copy of unbound-control.8 man page for unbound-control-setup
7897
789814 March 2013: Wouter
7899	- iana portlist update.
7900	- tag 1.4.20rc1
7901
790212 March 2013: Wouter
7903	- Fixup makedist.sh for windows compile.
7904
790511 March 2013: Wouter
7906	- iana portlist update.
7907	- testcode/ldns-testpkts.c check for makedist is informational.
7908
790915 February 2013: Wouter
7910	- fix defines in lookup3 for bigendian bsd alpha
7911
791211 February 2013: Wouter
7913	- Fixup openssl_thread init code to only run if compiled with SSL.
7914
79157 February 2013: Wouter
7916	- detect endianness in lookup3 on BSD.
7917	- add libunbound.ttl at end of result structure, version bump for
7918	  libunbound and binary backwards compatible, but 1.4.19 is not
7919	  forward compatible with 1.4.20.
7920	- update iana port list.
7921
792230 January 2013: Wouter
7923	- includes and have_ssl fixes for nss.
7924
792529 January 2013: Wouter
7926	- printout name of zone with duplicate fwd and hint errors.
7927
792828 January 2013: Wouter
7929	- updated fwd_zero for newer nc. Updated common.sh for newer netstat.
7930
793117 January 2013: Wouter
7932	- unbound-anchors checks the emailAddress of the signer of the
7933	  root.xml file, default is dnssec@iana.org.  It also checks that
7934	  the signer has the correct key usage for a digital signature.
7935	- update iana port list.
7936
79373 January 2013: Wouter
7938	- Test that unbound-control checks client credentials.
7939	- Test that unbound can handle a CNAME at an intermediate node in
7940	  the chain of trust (where it seeks a DS record).
7941	- Check the commonName of the signer of the root.xml file in
7942	  unbound-anchor, default is dnssec@iana.org.
7943
79442 January 2013: Wouter
7945	- Fix openssl lock free on exit (reported by Robert Fleischman).
7946	- iana portlist updated.
7947	- Tested that unbound implements the RFC5155 Technical Errata id 3441.
7948	  Unbound already implements insecure classification of an empty
7949	  nonterminal in NSEC3 optout zone.
7950
795120 December 2012: Wouter
7952	- Fix unbound-anchor xml parse of entity declarations for safety.
7953
795419 December 2012: Wouter
7955	- iana portlist updated.
7956
795718 December 2012: Wouter
7958	- iana portlist updated.
7959
796014 December 2012: Wouter
7961	- Change of D.ROOT-SERVERS.NET A address in default root hints.
7962
796312 December 2012: Wouter
7964	- 1.4.19 release.
7965	- trunk has 1.4.20 under development.
7966
79675 December 2012: Wouter
7968	- note support for AAAA RR type RFC.
7969
79704 December 2012: Wouter
7971	- 1.4.19rc1 tag.
7972
797330 November 2012: Wouter
7974	- bug 481: fix python example0.
7975	- iana portlist updated.
7976
797727 November 2012: Wouter
7978	- iana portlist updated.
7979
79809 November 2012: Wouter
7981	- Fix unbound-control forward disables configured stubs below it.
7982
79837 November 2012: Wouter
7984	- Fixup ldns-testpkts, identical to ldns/examples.
7985	- iana portlist updated.
7986
798730 October 2012: Wouter
7988	- Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
7989
799029 October 2012: Matthijs
7991	- Fix validation for responses with both CNAME and wildcard
7992	  expanded CNAME records in answer section.
7993
79948 October 2012: Wouter
7995	- update ldns-testpkts.c to ldns 1.6.14 version.
7996	- fix build of pythonmod in objdir, for unbound.py.
7997	- make clean and makerealclean remove generated python and docs.
7998
79995 October 2012: Wouter
8000	- fix build of pythonmod in objdir (thanks Jakob Schlyter).
8001
80023 October 2012: Wouter
8003	- fix text in unbound-anchor man page.
8004
80051 October 2012: Wouter
8006	- ignore trusted-keys globs that have no files (from Paul Wouters).
8007
800827 September 2012: Wouter
8009	- include: directive in config file accepts wildcards.  Patch from
8010	  Paul Wouters.  Suggested use: include: "/etc/unbound.d/conf.d/*"
8011	- unbound-control -q option is quiet, patch from Mariano Absatz.
8012	- iana portlist updated.
8013	- updated contrib/unbound.spec, patch from Valentin Bud.
8014
801521 September 2012: Wouter
8016	- chdir to / after chroot call (suggested by Camiel Dobbelaar).
8017
801817 September 2012: Wouter
8019	- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
8020	  otherwise it is treated as insecure.  The RSAMD5 algorithm is
8021	  deprecated (RFC6725).  The MD5 hash is considered weak for some
8022	  purposes, if you want to sign your zone, then RSASHA256 is an
8023	  uncontested hash.
8024
802530 August 2012: Wouter
8026	- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
8027	- iana portlist updated.
8028
802929 August 2012: Wouter
8030	- Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
8031
803222 August 2012: Wouter
8033	- Fallback to 1472 and 1232, one fragment size without headers.
8034
803521 August 2012: Wouter
8036	- Fix timeouts so that when a server has been offline for a while
8037	  and is probed to see it works, it becomes fully available for
8038	  server selection again.
8039
804017 August 2012: Wouter
8041	- Add documentation to libunbound for default nonuse of resolv.conf.
8042
80432 August 2012: Wouter
8044	- trunk has 1.4.19 under development (fixes from 1 aug and 31 july
8045	are for 1.4.19).
8046	- iana portlist updated.
8047
80481 August 2012: Wouter
8049	- Fix openssl race condition, initializes openssl locks, reported
8050	  by Einar Lonn and Patrik Wallstrom.
8051
805231 July 2012: Wouter
8053	- Improved forward-first and stub-first documentation.
8054	- Fix that enables modules to register twice for the same
8055	  serviced_query, without race conditions or administration issues.
8056	  This should not happen with the current codebase, but it is robust.
8057	- Fix forward-first option where it sets the RD flag wrongly.
8058	- added manpage links for libunbound calls (Thanks Paul Wouters).
8059
806030 July 2012: Wouter
8061	- tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
8062
806327 July 2012: Wouter
8064	- unbound-host works with libNSS
8065	- fix bogus nodata cname chain not reported as bogus by validator,
8066	  (Thanks Peter van Dijk).
8067
806826 July 2012: Wouter
8069	- iana portlist updated.
8070	- tag 1.4.18rc1.
8071
807225 July 2012: Wouter
8073	- review fix for libnss, check hash prefix allocation size.
8074
807523 July 2012: Wouter
8076	- fix missing break for GOST DS hash function.
8077	- implemented forward_first for the root.
8078
807920 July 2012: Wouter
8080	- Fix bug#452 and another assertion failure in mesh.c, makes
8081	  assertions in mesh.c resist duplicates.  Fixes DS NS search to
8082	  not generate duplicate sub queries.
8083
808419 July 2012: Willem
8085	- Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
8086	  if CFLAGS is specified at configure time then '-g -O2' is not
8087	  appended to CFLAGS, so that the user can override them.
8088
808918 July 2012: Willem
8090	- Fix libunbound report of errors when in background mode.
8091
809211 July 2012: Willem
8093	- updated iana ports list.
8094
80959 July 2012: Willem
8096	- Add flush_bogus option for unbound-control
8097
80986 July 2012: Wouter
8099	- Fix validation of qtype DS queries that result in no data for
8100	  non-optout NSEC3 zones.
8101
81024 July 2012: Wouter
8103	- compile libunbound with libnss on Suse, passes regression tests.
8104
81053 July 2012: Wouter
8106	- FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
8107
81082 July 2012: Wouter
8109	- updated iana ports list.
8110
811129 June 2012: Wouter
8112	- patch for unbound_munin_ script to handle arbitrary thread count by
8113	  Sven Ulland.
8114
811528 June 2012: Wouter
8116	- detect if openssl has FIPS_mode.
8117	- code review: return value of cache_store can be ignored for better
8118	  performance in out of memory conditions.
8119	- fix edns-buffer-size and msg-buffer-size manpage documentation.
8120	- updated iana ports list.
8121
812225 June 2012: Wouter
8123	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
8124
812522 June 2012: Wouter
8126	- implement DS records, NSEC3 and ECDSA for compile with libnss.
8127
812821 June 2012: Wouter
8129	- fix error handling of alloc failure during rrsig verification.
8130	- nss check for verification failure.
8131	- nss crypto works for RSA and DSA.
8132
813320 June 2012: Wouter
8134	- work on --with-nss build option (for now, --with-libunbound-only).
8135
813619 June 2012: Wouter
8137	- --with-libunbound-only build option, only builds the library and
8138	  not the daemon and other tools.
8139
814018 June 2012: Wouter
8141	- code review.
8142
814315 June 2012: Wouter
8144	- implement log-time-ascii on windows.
8145	- The key-cache bad key ttl is now 60 seconds.
8146	- updated iana ports list.
8147	- code review.
8148
814911 June 2012: Wouter
8150	- bug #452: fix crash on assert in mesh_state_attachment.
8151
815230 May 2012: Wouter
8153	- silence warning from swig-generated code (md set but not used in
8154	  swig initmodule, due to ifdefs in swig-generated code).
8155
815627 May 2012: Wouter
8157	- Fix debian-bugs-658021: Please enable hardened build flags.
8158
815925 May 2012: Wouter
8160	- updated iana ports list.
8161
816224 May 2012: Wouter
8163	- tag for 1.4.17 release.
8164	- trunk is 1.4.18 in development.
8165
816618 May 2012: Wouter
8167	- Review comments, removed duplicate memset to zero in delegpt.
8168
816916 May 2012: Wouter
8170	- Updated doc/FEATURES with RFCs that are implemented but not listed.
8171	- Protect if statements in val_anchor for compile without locks.
8172	- tag for 1.4.17rc1.
8173
817415 May 2012: Wouter
8175	- fix configure ECDSA support in ldns detection for windows compile.
8176	- fix possible uninitialised variable in windows pipe implementation.
8177
81789 May 2012: Wouter
8179	- Fix alignment problem in util/random on sparc64/freebsd.
8180
81818 May 2012: Wouter
8182	- Fix for accept spinning reported by OpenBSD.
8183	- iana portlist updated.
8184
81852 May 2012: Wouter
8186	- Fix validation of nodata for DS query in NSEC zones, reported by
8187	  Ondrej Mikle.
8188
818913 April 2012: Wouter
8190	- ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
8191	  openssl.
8192
819310 April 2012: Wouter
8194	- Applied patch from Daisuke HIGASHI for rrset-roundrobin and
8195	  minimal-responses features.
8196	- iana portlist updated.
8197
81985 April 2012: Wouter
8199	- fix bug #443: --with-chroot-dir not honoured by configure.
8200	- fix bug #444: setusercontext was called too late (thanks Bjorn
8201	  Ketelaars).
8202
820327 March 2012: Wouter
8204	- fix bug #442: Fix that Makefile depends on pythonmod headers
8205	  even using --without-pythonmodule.
8206
820722 March 2012: Wouter
8208	- contrib/validation-reporter follows rotated log file (patch from
8209	  Augie Schwer).
8210
821121 March 2012: Wouter
8212	- new approach to NS fetches for DS lookup that works with
8213	  cornercases, and is more robust and considers forwarders.
8214
821519 March 2012: Wouter
8216	- iana portlist updated.
8217	- fix to locate nameservers for DS lookup with NS fetches.
8218
821916 March 2012: Wouter
8220	- Patch for access to full DNS packet data in unbound python module
8221	  from Ondrej Mikle.
8222
82239 March 2012: Wouter
8224	- Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
8225
82262 March 2012: Wouter
8227	- flush_infra cleans timeouted servers from the cache too.
8228	- removed warning from --enable-ecdsa.
8229
82301 March 2012: Wouter
8231	- forward-first option.  Tries without forward if a query fails.
8232	  Also stub-first option that is similar.
8233
823428 February 2012: Wouter
8235	- Fix from code review, if EINPROGRESS not defined chain if statement
8236	  differently.
8237
823827 February 2012: Wouter
8239	- Fix bug#434: on windows check registry for config file location
8240	  for unbound-control.exe, and unbound-checkconf.exe.
8241
824223 February 2012: Wouter
8243	- Fix to squelch 'network unreachable' errors from tcp connect in
8244	  logs, high verbosity will show them.
8245
824616 February 2012: Wouter
8247	- iter_hints is now thread-owned in module env, and thus threadsafe.
8248	- Fix prefetch and sticky NS, now the prefetch works.  It picks
8249	  nameservers that 'would be valid in the future', and if this makes
8250	  the NS timeout, it updates that NS by asking delegation from the
8251	  parent again.  If child NS has longer TTL, that TTL does not get
8252	  refreshed from the lookup to the child nameserver.
8253
825415 February 2012: Wouter
8255	- Fix forward-zone memory, uses malloc and frees original root dp.
8256	- iter hints (stubs) uses malloc inside for more dynamicity.
8257	- unbound-control forward_add, forward_remove, stub_add, stub_remove
8258	  can modify stubs and forwards for running unbound (on mobile computer)
8259	  they can also add and remove domain-insecure for the zone.
8260
826114 February 2012: Wouter
8262	- Fix sticky NS (ghost domain problem) if prefetch is yes.
8263	- iter forwards uses malloc inside for more dynamicity.
8264
826513 February 2012: Wouter
8266	- RT#2955. Fix for cygwin compilation.
8267	- iana portlist updated.
8268
826910 February 2012: Wouter
8270	- Slightly smaller critical region in one case in infra cache.
8271	- Fix timeouts to keep track of query type, A, AAAA and other, if
8272	  another has caused timeout blacklist, different type can still probe.
8273	- unit test fix for nomem_cnametopos.rpl race condition.
8274
82759 February 2012: Wouter
8276	- Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
8277
82788 February 2012: Wouter
8279	- implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
8280	  implementation is experimental at this time and not recommended
8281	  for use on the public internet (the protocol numbers have not
8282	  been assigned).  Needs recent ldns with --enable-ecdsa.
8283	- fix memory leak in errorcase for DSA signatures.
8284	- iana portlist updated.
8285	- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
8286
82873 February 2012: Wouter
8288	- fix for windows, rename() is not posix compliant on windows.
8289
82902 February 2012: Wouter
8291	- 1.4.16 release tag.
8292	- svn trunk is 1.4.17 in development.
8293	- iana portlist updated.
8294
82951 February 2012: Wouter
8296	- Fix validation failures (like: validation failure xx: no NSEC3
8297	  closest encloser from yy for DS zz. while building chain of trust,
8298	  because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
8299	  for an NSEC3.  Now it does not change rdata, and fixes TTL.
8300
830130 January 2012: Wouter
8302	- Fix version-number in libtool to be version-info so it produces
8303	  libunbound.so.2 like it should.
8304
830526 January 2012: Wouter
8306	- Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
8307	- trunk 1.4.16; includes changes memset testcode, #424 openindiana,
8308	  and keyfile write fixup.
8309	- applied patch to support outgoing-interface with ub_ctx_set_option.
8310
831123 January 2012: Wouter
8312	- Fix memset in test code.
8313
831420 January 2012: Wouter
8315	- Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
8316
831719 January 2012: Wouter
8318	- Fix to write key files completely to a temporary file, and if that
8319	  succeeds, replace the real key file.  So failures leave a useful file.
8320
832118 January 2012: Wouter
8322	- tag 1.4.15rc1 created
8323	- updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
8324
832517 January 2012: Wouter
8326	- Fix bug where canonical_compare of RRSIG did not downcase the
8327	  signer-name.  This is mostly harmless because RRSIGs do not have
8328	  to be sorted in canonical order, usually.
8329
833012 January 2012: Wouter
8331	- bug#428: add ub_version() call to libunbound.  API version increase,
8332	  with (binary) backwards compatibility for the previous version.
8333
833410 January 2012: Wouter
8335	- Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
8336	  that would be permissible by the RFCs but it is not the TTL in the
8337	  cache.
8338	- iana portlist updated.
8339	- uninitialised variable in reprobe for rtt blocked domains fixed.
8340	- lintfix and new flex output.
8341
83422 January 2012: Wouter
8343	- Fix to randomize hash function, based on 28c3 congress, reported
8344	  by Peter van Dijk.
8345
834624 December 2011: Wouter
8347	- Fix for memory leak (about 20 bytes when a tcp or udp send operation
8348	  towards authority servers failed, takes about 50.000 such failures to
8349	  leak one Mb, such failures are also usually logged), reported by
8350	  Robert Fleischmann.
8351	- iana portlist updated.
8352
835319 December 2011: Wouter
8354	- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
8355	  vulnerabilities from nonstandard redirection and denial of existence
8356	  http://www.unbound.net/downloads/CVE-2011-4528.txt
8357	- robust checks for next-closer NSEC3s.
8358	- tag 1.4.14 created.
8359	- trunk has 1.4.15 in development.
8360
836115 December 2011: Wouter
8362	- remove uninit warning from cachedump code.
8363	- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
8364
836513 December 2011: Wouter
8366	- iana portlist updated.
8367	- svn tag 1.4.14rc1
8368	- fix infra cache comparison.
8369	- Fix to constrain signer_name to be a parent of the lookupname.
8370
83715 December 2011: Wouter
8372	- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
8373	- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
8374	- Fix warning unused in compat/strptime.c.
8375	- Fix malloc detection and double definition.
8376
83772 December 2011: Wouter
8378	- configure generated with autoconf 2.68.
8379
838030 November 2011: Wouter
8381	- Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
8382	  SERVFAILs.  Also fixed for UDP (but less likely).
8383
838428 November 2011: Wouter
8385	- Fix quartile time estimate, it was too low, (thanks Jan Komissar).
8386	- iana ports updated.
8387
838811 November 2011: Wouter
8389	- Makefile compat with SunOS make, BSD make and GNU make.
8390	- iana ports updated.
8391
839210 November 2011: Wouter
8393	- Makefile changed for BSD make compatibility.
8394
83959 November 2011: Wouter
8396	- added unit test for SSL service and SSL-upstream.
8397
83988 November 2011: Wouter
8399	- can configure ssl service to one port number, and not on others.
8400	- fixup windows compile with ssl support.
8401	- Fix double free in unbound-host, reported by Steve Grubb.
8402	- iana portlist updated.
8403
84041 November 2011: Wouter
8405	- dns over ssl support as a client, ssl-upstream yes turns it on.
8406	  It performs an SSL transaction for every DNS query (250 msec).
8407	- documentation for new options: ssl-upstream, ssl-service-key and
8408	  ssl-service.pem.
8409	- iana portlist updated.
8410	- fix -flto detection on Lion for llvm-gcc.
8411
841231 October 2011: Wouter
8413	- dns over ssl support, ssl-service-pem and ssl-service-key files
8414	  can be given and then TCP queries are serviced wrapped in SSL.
8415
841627 October 2011: Wouter
8417	- lame-ttl and lame-size options no longer exist, it is integrated
8418	  with the host info.  They are ignored (with verbose warning) if
8419	  encountered to keep the config file backwards compatible.
8420	- fix iana-update for changing gzip compression of results.
8421	- fix export-all-symbols on OSX.
8422
842326 October 2011: Wouter
8424	- iana portlist updated.
8425	- Infra cache stores information about ping and lameness per IP, zone.
8426	  This fixes bug #416.
8427	- fix iana_update target for gzipped file on iana site.
8428
842924 October 2011: Wouter
8430	- Fix resolve of partners.extranet.microsoft.com with a fix for the
8431	  server selection for choosing out of a (particular) list of bad
8432	  choices. (bug#415)
8433	- Fix make_new_space function so that the incoming query is not
8434	  overwritten if a jostled out query causes a waiting query to be
8435	  resumed that then fails and sends an error message.  (Thanks to
8436	  Matthew Lee).
8437
843821 October 2011: Wouter
8439	- fix --enable-allsymbols, fptr wlist is disabled on windows with this
8440	  option enabled because of memory layout exe vs dll.
8441
844219 October 2011: Wouter
8443	- fix unbound-anchor for broken strptime on OSX lion, detected
8444	  in configure.
8445	- Detect if GOST really works, openssl1.0 on OSX fails.
8446	- Implement ipv6%interface notation for scope_id usage.
8447
844817 October 2011: Wouter
8449	- better documentation for inform_super (Thanks Yang Zhe).
8450
845114 October 2011: Wouter
8452	- Fix for out-of-memory condition in libunbound (thanks
8453	  Robert Fleischman).
8454
845513 October 2011: Wouter
8456	- Fix --enable-allsymbols, it depended on link specifics of the
8457	  target platform, or fptr_wlist assertion failures could occur.
8458
845912 October 2011: Wouter
8460	- updated contrib/unbound_munin_ to family=auto so that it works with
8461	  munin-node-configure automatically (if installed as
8462	  /usr/local/share/munin/plugins/unbound_munin_ ).
8463
846427 September 2011: Wouter
8465	- unbound.exe -w windows option for start and stop service.
8466
846723 September 2011: Wouter
8468	- TCP-upstream calculates tcp-ping so server selection works if there
8469	  are alternatives.
8470
847120 September 2011: Wouter
8472	- Fix classification of NS set in answer section, where there is a
8473	  parent-child server, and the answer has the AA flag for dir.slb.com.
8474	  Thanks to Amanda Constant from Secure64.
8475
847616 September 2011: Wouter
8477	- fix bug #408: accept patch from Steve Snyder that comments out
8478	  unused functions in lookup3.c.
8479	- iana portlist updated.
8480	- fix EDNS1480 change memleak and TCP fallback.
8481	- fix various compiler warnings (reported by Paul Wouters).
8482	- max sent count.  EDNS1480 only for rtt < 5000.  No promiscuous
8483	  fetch if sentcount > 3, stop query if sentcount > 16.  Count is
8484	  reset when referral or CNAME happens.  This makes unbound better
8485	  at managing large NS sets, they are explored when there is continued
8486	  interest (in the form of queries).
8487
848815 September 2011: Wouter
8489	- release 1.4.13.
8490	- trunk contains 1.4.14 in development.
8491	- Unbound probes at EDNS1480 if there an EDNS0 timeout.
8492
849312 September 2011: Wouter
8494	- Reverted dns EDNS backoff fix, it did not help and needs
8495	  fragmentation fixes instead.
8496	- tag 1.4.13rc2
8497
84987 September 2011: Wouter
8499	- Fix operation in ipv6 only (do-ip4: no) mode.
8500
85016 September 2011: Wouter
8502	- fedora specfile updated.
8503
85045 September 2011: Wouter
8505	- tag 1.4.13rc1
8506
85072 September 2011: Wouter
8508	- iana portlist updated.
8509
851026 August 2011: Wouter
8511	- Fix num-threads 0 does not segfault, reported by Simon Deziel.
8512	- Fix validation failures due to EDNS backoff retries, the retry
8513	  for fetch of data has want_dnssec because the iter_indicate_dnssec
8514	  function returns true when validation failure retry happens, and
8515	  then the serviced query code does not fallback to noEDNS, even if
8516	  the cache says it has this.  This helps for DLV deployment when
8517	  the DNSSEC status is not known for sure before the lookup concludes.
8518
851924 August 2011: Wouter
8520	- Applied patch from Karel Slany that fixes a memory leak in the
8521	  unbound python module, in string conversions.
8522
852322 August 2011: Wouter
8524	- Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
8525	  Zhang and Luo Ce).  Unbound responds with the RR types that are
8526	  available at the name for qtype ANY and validates those RR types.
8527	  It does not test for completeness (i.e. with NSEC or NSEC3 query),
8528	  and it does not follow the CNAME or DNAME to another name (with
8529	  even more data for the already large response).
8530	- Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
8531	- Documented the options that work with control set_option command.
8532	- tcp-upstream yes/no option (works with set_option) for tunnels.
8533
853418 August 2011: Wouter
8535	- fix autoconf call in makedist crosscompile to RC or snapshot.
8536
853717 August 2011: Wouter
8538	- Fix validation of . DS query.
8539	- new xml format at IANA, new awk for iana_update.
8540	- iana portlist updated.
8541
854210 August 2011: Wouter
8543	- Fix python site-packages path to /usr/lib64.
8544	- updated patch from Tom.
8545	- fix memory and fd leak after out-of-memory condition.
8546
85479 August 2011: Wouter
8548	- patch from Tom Hendrikx fixes load of python modules.
8549
85508 August 2011: Wouter
8551	- make clean had ldns-src reference, removed.
8552
85531 August 2011: Wouter
8554	- Fix autoconf 2.68 warnings
8555
855614 July 2011: Wouter
8557	- Unbound implements RFC6303 (since version 1.4.7).
8558	- tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
8559	  meantime, those are for 1.4.13).
8560	- iana portlist updated.
8561
856213 July 2011: Wouter
8563	- Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
8564
856511 July 2011: Wouter
8566	- Fix wildcard expansion no-data reply under an optout NSEC3 zone is
8567	  validated as insecure, reported by Jia Li (lijia@cnnic.cn).
8568
85694 July 2011: Wouter
8570	- 1.4.12rc1 tag created.
8571
85721 July 2011: Wouter
8573	- version number in example config file.
8574	- fix that --enable-static-exe does not complain about it unknown.
8575
857630 June 2011: Wouter
8577	- tag release 1.4.11, trunk is 1.4.12 development.
8578	- iana portlist updated.
8579	- fix bug#395: id bits of other query may leak out under conditions
8580	- fix replyaddr count wrong after jostled queries, which leads to
8581	  eventual starvation where the daemon has no replyaddrs left to use.
8582	- fix comment about rndc port, that referred to the old port number.
8583	- fix that the listening socket is not closed when too many remote
8584	  control connections are made at the same time.
8585	- removed ldns-src tarball inside the unbound tarball.
8586
858723 June 2011: Wouter
8588	- Changed -flto check to support clang compiler.
8589	- tag 1.4.11rc3 created.
8590
859117 June 2011: Wouter
8592	- tag 1.4.11rc1 created.
8593	- remove warning about signed/unsigned from flex (other flex version).
8594	- updated aclocal.m4 and libtool to match.
8595	- tag 1.4.11rc2 created.
8596
859716 June 2011: Wouter
8598	- log-queries: yesno option, default is no, prints querylog.
8599	- version is 1.4.11.
8600
860114 June 2011: Wouter
8602	- Use -flto compiler flag for link time optimization, if supported.
8603	- iana portlist updated.
8604
860512 June 2011: Wouter
8606	- IPv6 service address for d.root-servers.net (2001:500:2D::D).
8607
860810 June 2011: Wouter
8609	- unbound-control has version number in the header,
8610	  UBCT[version]_space_ is the header sent by the client now.
8611	- Unbound control port number is registered with IANA:
8612	  ub-dns-control  8953/tcp    unbound dns nameserver control
8613	  This is the new default for the control-port config setting.
8614	- statistics-interval prints the number of jostled queries to log.
8615
861630 May 2011: Wouter
8617	- Fix Makefile for U in environment, since wrong U is more common than
8618	  deansification necessity.
8619	- iana portlist updated.
8620	- updated ldns tarball to 1.6.10rc2 snapshot of today.
8621
862225 May 2011: Wouter
8623	- Fix assertion failure when unbound generates an empty error reply
8624	  in response to a query, CVE-2011-1922 VU#531342.
8625	- This fix is in tag 1.4.10.
8626	- defense in depth against the above bug, an error is printed to log
8627	  instead of an assertion failure.
8628
862910 May 2011: Wouter
8630	- bug#386: --enable-allsymbols option links all binaries to libunbound
8631	  and reduces install size significantly.
8632	- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
8633	- iana portlist updated.
8634	- Fix TTL of SOA so negative TTL is separately cached from normal TTL.
8635
863614 April 2011: Wouter
8637	- configure created with newer autoconf 2.66.
8638
863912 April 2011: Wouter
8640	- bug#378: Fix that configure checks for ldns_get_random presence.
8641
86428 April 2011: Wouter
8643	- iana portlist updated.
8644	- queries with CD flag set cause DNSSEC validation, but the answer is
8645	  not withheld if it is bogus.  Thus, unbound will retry if it is bad
8646	  and curb the TTL if it is bad, thus protecting the cache for use by
8647	  downstream validators.
8648	- val-override-date: -1 ignores dates entirely, for NTP usage.
8649
865029 March 2011: Wouter
8651	- harden-below-nxdomain: changed so that it activates when the
8652	  cached nxdomain is dnssec secure.  This avoids backwards
8653	  incompatibility because those old servers do not have dnssec.
8654
865524 March 2011: Wouter
8656	- iana portlist updated.
8657	- release 1.4.9.
8658	- trunk is 1.5.0
8659
866017 March 2011: Wouter
8661	- bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
8662	  Applied but did not do the --disable-gost.
8663
866410 March 2011: Wouter
8665	- tag 1.4.9 release candidate 1 created.
8666
86673 March 2011: Wouter
8668	- updated ldns to today.
8669
86701 March 2011: Wouter
8671	- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
8672	- give config parse error for multiple names on a stub or forward zone.
8673	- updated ldns tarball to 1.6.9(todays snapshot).
8674
867524 February 2011: Wouter
8676	- bug #361: Fix, time.elapsed variable not reset with stats_noreset.
8677
867823 February 2011: Wouter
8679	- iana portlist updated.
8680	- common.sh to version 3.
8681
868218 February 2011: Wouter
8683	- common.sh in testdata updated to version 2.
8684
868515 February 2011: Wouter
8686	- Added explicit note on unbound-anchor usage:
8687	  Please note usage of unbound-anchor root anchor is at your own risk
8688	  and under the terms of our LICENSE (see that file in the source).
8689
869011 February 2011: Wouter
8691	- iana portlist updated.
8692	- tpkg updated with common.sh for common functionality.
8693
86947 February 2011: Wouter
8695	- Added regression test for addition of a .net DS to the root, and
8696	  cache effects with different TTL for glue and DNSKEY.
8697	- iana portlist updated.
8698
869928 January 2011: Wouter
8700	- Fix remove private address does not throw away entire response.
8701
870224 January 2011: Wouter
8703	- release 1.4.8
8704
870519 January 2011: Wouter
8706	- fix bug#349: no -L/usr for ldns.
8707
870818 January 2011: Wouter
8709	- ldns 1.6.8 tarball included.
8710	- release 1.4.8rc1.
8711
871217 January 2011: Wouter
8713	- add get and set option for harden-below-nxdomain feature.
8714	- iana portlist updated.
8715
871614 January 2011: Wouter
8717	- Fix so a changed NS RRset does not get moved name stuck on old
8718	  server, for type NS the TTL is not increased.
8719
872013 January 2011: Wouter
8721	- Fix prefetch so it does not get stuck on old server for moved names.
8722
872312 January 2011: Wouter
8724	- iana portlist updated.
8725
872611 January 2011: Wouter
8727	- Fix insecure CNAME sequence marked as secure, reported by Bert
8728	  Hubert.
8729
873010 January 2011: Wouter
8731	- faster lruhash get_mem routine.
8732
87334 January 2011: Wouter
8734	- bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
8735	- iana portlist updated.
8736
873723 December 2010: Wouter
8738	- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
8739
874021 December 2010: Wouter
8741	- algorithm compromise protection using the algorithms signalled in
8742	  the DS record.  Also, trust anchors, DLV, and RFC5011 receive this,
8743	  and thus, if you have multiple algorithms in your trust-anchor-file
8744	  then it will now behave different than before.  Also, 5011 rollover
8745	  for algorithms needs to be double-signature until the old algorithm
8746	  is revoked.
8747	  It is not an option, because I see no use to turn the security off.
8748	- iana portlist updated.
8749
875017 December 2010: Wouter
8751	- squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
8752	- fix validation in this case: CNAME to nodata for co-hosted opt-in
8753	  NSEC3 insecure delegation, was bogus, fixed to be insecure.
8754
875516 December 2010: Wouter
8756	- Fix our 'BDS' license (typo reported by Xavier Belanger).
8757
875810 December 2010: Wouter
8759	- iana portlist updated.
8760	- review changes for unbound-anchor.
8761
87622 December 2010: Wouter
8763	- feature typetransparent localzone, does not block other RR types.
8764
87651 December 2010: Wouter
8766	- Fix bug#338: print address when socket creation fails.
8767
876830 November 2010: Wouter
8769	- Fix storage of EDNS failures in the infra cache.
8770	- iana portlist updated.
8771
877218 November 2010: Wouter
8773	- harden-below-nxdomain option, default off (because very old
8774	  software may be incompatible).  We could enable it by default in
8775	  the future.
8776
877717 November 2010: Wouter
8778	- implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
8779	- make test output nicer.
8780
878115 November 2010: Wouter
8782	- silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
8783	- iana portlist updated.
8784	- so-sndbuf option for very busy servers, a bit like so-rcvbuf.
8785
87869 November 2010: Wouter
8787	- unbound-anchor compiles with openssl 0.9.7.
8788
87898 November 2010: Wouter
8790	- release tag 1.4.7.
8791	- trunk is version 1.4.8.
8792	- Be lenient and accept imgw.pl malformed packet (like BIND).
8793
87945 November 2010: Wouter
8795	- do not synthesize a CNAME message from cache for qtype DS.
8796
87974 November 2010: Wouter
8798	- Use central entropy to seed threads.
8799
88003 November 2010: Wouter
8801	- Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
8802
88032 November 2010: Wouter
8804	- tag 1.4.7rc1.
8805	- code review.
8806
88071 November 2010: Wouter
8808	- GOST code enabled by default (RFC 5933).
8809
881027 October 2010: Wouter
8811	- Fix uninit value in dump_infra print.
8812	- Fix validation failure for parent and child on same server with an
8813	  insecure childzone and a CNAME from parent to child.
8814	- Configure detects libev-4.00.
8815
881626 October 2010: Wouter
8817	- dump_infra and flush_infra commands for unbound-control.
8818	- no timeout backoff if meanwhile a query succeeded.
8819	- Change of timeout code.  No more lost and backoff in blockage.
8820	  At 12sec timeout (and at least 2x lost before) one probe per IP
8821	  is allowed only.  At 120sec, the IP is blocked.  After 15min, a
8822	  120sec entry has a single retry packet.
8823
882425 October 2010: Wouter
8825	- Configure errors if ldns is not found.
8826
882722 October 2010: Wouter
8828	- Windows 7 fix for the installer.
8829
883021 October 2010: Wouter
8831	- Fix bug where fallback_tcp causes wrong roundtrip and edns
8832	  observation to be noted in cache.  Fix bug where EDNSprobe halted
8833	  exponential backoff if EDNS status unknown.
8834	- new unresponsive host method, exponentially increasing block backoff.
8835	- iana portlist updated.
8836
883720 October 2010: Wouter
8838	- interface automatic works for some people with ip6 disabled.
8839	  Therefore the error check is removed, so they can use the option.
8840
884119 October 2010: Wouter
8842	- Fix for request list growth, if a server has long timeout but the
8843	  lost counter is low, then its effective rtt is the one without
8844	  exponential backoff applied.  Because the backoff is not working.
8845	  The lost counter can then increase and the server is blacklisted,
8846	  or the lost counter does not increase and the server is working
8847	  for some queries.
8848
884918 October 2010: Wouter
8850	- iana portlist updated.
8851
885213 October 2010: Wouter
8853	- Fix TCP so it uses a random outgoing-interface.
8854	- unbound-anchor handles ADDPEND keystate.
8855
885611 October 2010: Wouter
8857	- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
8858	  the zone has a secure delegation hosted on the same server did not
8859	  verify as secure (it was insecure by mistake).
8860	- iana portlist updated.
8861	- ldns tarball updated (for reading cachedumps with bad RR data).
8862
88631 October 2010: Wouter
8864	- test for unbound-anchor. fix for reading certs.
8865	- Fix alloc_reg_release for longer uptime in out of memory conditions.
8866
886728 September 2010: Wouter
8868	- unbound-anchor working, it creates or updates a root.key file.
8869	  Use it before you start the validator (e.g. at system boot time).
8870
887127 September 2010: Wouter
8872	- iana portlist updated.
8873
887424 September 2010: Wouter
8875	- bug#329: in example.conf show correct ipv4 link-local 169.254/16.
8876
887723 September 2010: Wouter
8878	- unbound-anchor app, unbound requires libexpat (xml parser library).
8879
888022 September 2010: Wouter
8881	- compliance with draft-ietf-dnsop-default-local-zones-14, removed
8882	  reverse ipv6 orchid prefix from builtin list.
8883	- iana portlist updated.
8884
888517 September 2010: Wouter
8886	- DLV has downgrade protection again, because the RFC says so.
8887	- iana portlist updated.
8888
888916 September 2010: Wouter
8890	- Algorithm rollover operational reality intrudes, for trust-anchor,
8891	  5011-store, and DLV-anchor if one key matches it's good enough.
8892	- iana portlist updated.
8893	- Fix reported validation error in out of memory condition.
8894
889515 September 2010: Wouter
8896	- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
8897
889814 September 2010: Wouter
8899	- increased mesh-max-activation from 1000 to 3000 for crazy domains
8900	  like _tcp.slb.com with 262 servers.
8901	- iana portlist updated.
8902
890313 September 2010: Wouter
8904	- bug#327: Fix for cannot access stub zones until the root is primed.
8905
89069 September 2010: Wouter
8907	- unresponsive servers are not completely blacklisted (because of
8908	  firewalls), but also not probed all the time (because of the request
8909	  list size it generates).  The probe rate is 1%.
8910	- iana portlist updated.
8911
891220 August 2010: Wouter
8913	- openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
8914	  iterator get_mem includes priv_get_mem.  delegpt nodup removed.
8915	  listen_pushback, query_info_allocqname, write_socket, send_packet,
8916	  comm_point_set_cb_arg and listen_resume removed.
8917
891819 August 2010: Wouter
8919	- Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
8920	  Delegpt structures checked for duplicates always.
8921	  No more nameserver lookups generated when depth is full anyway.
8922	- example.conf notes how to do DNSSEC validation and track the root.
8923	- iana portlist updated.
8924
892518 August 2010: Wouter
8926	- Fix bug#322: configure does not respect CFLAGS on Solaris.
8927	  Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
8928	  if use sun-cc, but some systems need different flags.
8929
893016 August 2010: Wouter
8931	- Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
8932	  changes, uses m4_bpatsubst now.
8933	- make test (or make check) should be more portable and run the unit
8934	  test and testbound scripts. (make longtest has special requirements).
8935
893613 August 2010: Wouter
8937	- More pleasant remote control command parsing.
8938	- documentation added for return values reported by doxygen 1.7.1.
8939	- iana portlist updated.
8940
89419 August 2010: Wouter
8942	- Fix name of rrset printed that failed validation.
8943
89445 August 2010: Wouter
8945	- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
8946
89474 August 2010: Wouter
8948	- Fix validation in case a trust anchor enters into a zone with
8949	  unsupported algorithms.
8950
89513 August 2010: Wouter
8952	- updated ldns tarball with bugfixes.
8953	- release tag 1.4.6.
8954	- trunk becomes 1.4.7 develop.
8955	- iana portlist updated.
8956
895722 July 2010: Wouter
8958	- more error details on failed remote control connection.
8959
896015 July 2010: Wouter
8961	- rlimit adjustments for select and ulimit can happen at the same time.
8962
896314 July 2010: Wouter
8964	- Donation text added to README.
8965	- Fix integer underflow in prefetch ttl creation from cache.  This
8966	  fixes a potential negative prefetch ttl.
8967
896812 July 2010: Wouter
8969	- Changed the defaults for num-queries-per-thread/outgoing-range.
8970	  For builtin-select: 512/960, for libevent 1024/4096 and for
8971	  windows 24/48 (because of win api).  This makes the ratio this way
8972	  to improve resilience under heavy load.  For high performance, use
8973	  libevent and possibly higher numbers.
8974
897510 July 2010: Wouter
8976	- GOST enabled if SSL is recent and ldns has GOST enabled too.
8977	- ldns tarball updated.
8978
89799 July 2010: Wouter
8980	- iana portlist updated.
8981	- Fix validation of qtype DNSKEY when a key-cache entry exists but
8982	  no rr-cache entry is used (it expired or prefetch), it then goes
8983	  back up to the DS or trust-anchor to validate the DNSKEY.
8984
89857 July 2010: Wouter
8986	- Neat function prototypes, unshadowed local declarations.
8987
89886 July 2010: Wouter
8989	- failure to chown the pidfile is not fatal any more.
8990	- testbound uses UTC timezone.
8991	- ldns tarball updated (ports and works on Minix 3.1.7).  On Minix, add
8992	  /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
8993
89945 July 2010: Wouter
8995	- log if a server is skipped because it is on the donotquery list,
8996	  at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
8997	- added feature to print configure date, target and options with -h.
8998	- added feature to print event backend system details with -h.
8999	- wdiff is not actually required by make test, updated requirements.
9000
90011 July 2010: Wouter
9002	- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
9003	  must be signed with all algorithms from the DS rrset at the parent.
9004	  This is now checked and becomes bogus if not.
9005
900628 June 2010: Wouter
9007	- Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
9008	  in overload situations to be about 5 qps for the class of shortly
9009	  serviced queries.
9010	  The capacity of the resolver is then about (numqueriesperthread / 2)
9011	  / (average time for such long queries) qps for long queries.
9012	  And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
9013	  qps for short queries, per thread.
9014	- Fix the max number of reply-address count to be applied for duplicate
9015	  queries, and not for new query list entries.  This raises the memory
9016	  usage to a max of (16+1)*numqueriesperthread reply addresses.
9017
901825 June 2010: Wouter
9019	- Fix handling of corner case reply from lame server, follows rfc2308.
9020	  It could lead to a nodata reply getting into the cache if the search
9021	  for a non-lame server turned up other misconfigured servers.
9022	- unbound.h has extern "C" statement for easier include in c++.
9023
902423 June 2010: Wouter
9025	- iana portlist updated.
9026	- makedist upgraded cross compile openssl option, like this:
9027	  ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
9028
902922 June 2010: Wouter
9030	- Unbound reports libev or libevent correctly in logs in verbose mode.
9031	- Fix to unload gost dynamic library module for leak testing.
9032
903318 June 2010: Wouter
9034	- iana portlist updated.
9035
903617 June 2010: Wouter
9037	- Add AAAA to root hints for I.ROOT-SERVERS.NET.
9038
903916 June 2010: Wouter
9040	- Fix assertion failure reported by Kai Storbeck from XS4ALL, the
9041	  assertion was wrong.
9042	- updated ldns tarball.
9043
904415 June 2010: Wouter
9045	- tag 1.4.5 created.
9046	- trunk contains 1.4.6 in development.
9047	- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
9048	- Fix to use one pointer less for iterator query state store_parent_NS.
9049	- makedist crosscompile to windows uses builtin ldns not host ldns.
9050	- Max referral count from 30 to 130, because 128 one character domains
9051	  is valid DNS.
9052	- added documentation for the histogram printout to syslog.
9053
905411 June 2010: Wouter
9055	- When retry to parent the retrycount is not wiped, so failed
9056	  nameservers are not tried again.
9057	- iana portlist updated.
9058
905910 June 2010: Wouter
9060	- Fix bug where a long loop could be entered, now cycle detection
9061	  has a loop-counter and maximum search amount.
9062
90634 June 2010: Wouter
9064	- iana portlist updated.
9065	- 1.4.5rc1 tag created.
9066
90673 June 2010: Wouter
9068	- ldns tarball updated, 1.6.5.
9069	- review comments, split dependency cycle tracking for parentside
9070	  last resort lookups for A and AAAA so there are more lookup options.
9071
90722 June 2010: Wouter
9073	- Fix compile warning if compiled without threads.
9074	- updated ldns-tarball with current ldns svn (pre 1.6.5).
9075	- GOST disabled-by-default, the algorithm number is allocated but the
9076	  RFC is still has to pass AUTH48 at the IETF.
9077
90781 June 2010: Wouter
9079	- Ignore Z flag in incoming messages too.
9080	- Fix storage of negative parent glue if that last resort fails.
9081	- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
9082	- new splint flags for newer splint install.
9083
908431 May 2010: Wouter
9085	- Fix AD flag handling, it could in some cases mistakenly copy the AD
9086	  flag from upstream servers.
9087	- alloc_special_obtain out of memory is not a fatal error any more,
9088	  enabling unbound to continue longer in out of memory conditions.
9089	- parentside names are dispreferred but not said to be dnssec-lame.
9090	- parentside check for cached newname glue.
9091	- fix parentside and querytargets modulestate, for dump_requestlist.
9092	- unbound-control-setup makes keys -rw-r--- so not all users permitted.
9093	- fix parentside from cache to be marked dispreferred for bad names.
9094
909528 May 2010: Wouter
9096	- iana portlist updated.
9097	- parent-child disagreement approach altered.  Older fixes are
9098	  removed in place of a more exhaustive search for misconfigured data
9099	  available via the parent of a delegation.
9100	  This is designed to be throttled by cache entries, with TTL from the
9101	  parent if possible.  Additionally the loop-counter is used.
9102	  It also tests for NS RRset differences between parent and child.
9103	  The fetch of misconfigured data should be more reliable and thorough.
9104	  It should work reliably even with no or only partial data in cache.
9105	  Data received from the child (as always) is deemed more
9106	  authoritative than information received from the delegation parent.
9107	  The search for misconfigured data is not performed normally.
9108
910926 May 2010: Wouter
9110	- Contribution from Migiel de Vos (Surfnet): nagios patch for
9111	  unbound-host, in contrib/ (in the source tarball).  Makes
9112	  unbound-host suitable for monitoring dnssec(-chain) status.
9113
911421 May 2010: Wouter
9115	- EDNS timeout code will not fire if EDNS status already known.
9116	- EDNS failure not stored if EDNS status known to work.
9117
911819 May 2010: Wouter
9119	- Fix resolution for domains like safesvc.com.cn.  If the iterator
9120	  can not recurse further and it finds the delegation in a state
9121	  where it would otherwise have rejected it outhand if so received
9122	  from a cache lookup, then it can try to ask higherup (with loop
9123	  protection).
9124	- Fix comments in iter_utils:dp_is_useless.
9125
912618 May 2010: Wouter
9127	- Fix various compiler warnings from the clang llvm compiler.
9128	- iana portlist updated.
9129
91306 May 2010: Wouter
9131	- Fix bug#308: spelling error in variable name in parser and lexer.
9132
91334 May 2010: Wouter
9134	- Fix dnssec-missing detection that was turned off by server selection.
9135	- Conforms to draft-ietf-dnsop-default-local-zones-13.  Added default
9136	  reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
9137	  113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
9138
913929 April 2010: Wouter
9140	- Fix for dnssec lameness detection to use the key cache.
9141	- infra cache entries that are expired are wiped clean.  Previously
9142	  it was possible to not expire host data (if accessed often).
9143
914428 April 2010: Wouter
9145	- ldns tarball updated and GOST support is detected and then enabled.
9146	- iana portlist updated.
9147	- Fix detection of gost support in ldns (reported by Chris Smith).
9148
914927 April 2010: Wouter
9150	- unbound-control get_option domain-insecure shows config file items.
9151	- fix retry sequence if prime hints are recursion-lame.
9152	- autotrust anchor file can be initialized with a ZSK key as well.
9153	- harden-referral-path does not result in failures due to max-depth.
9154	  You can increase the max-depth by adding numbers (' 0') after the
9155	  target-fetch-policy, this increases the depth to which is checked.
9156
915726 April 2010: Wouter
9158	- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
9159	  CPPFLAGS during configure process.
9160	- if libev is installed on the base system (not libevent), detect
9161	  it from the event.h header file and link with -lev.
9162	- configlexer.lex gets config.h, and configyyrename.h added by make,
9163	  no more double include.
9164	- More strict scrubber (Thanks to George Barwood for the idea):
9165	  NS set must be pertinent to the query (qname subdomain nsname).
9166	- Fix bug#307: In 0x20 backoff fix fallback so the number of
9167	  outstanding queries does not become -1 and block the request.
9168	  Fixed handling of recursion-lame in combination with 0x20 fallback.
9169	  Fix so RRsets are compared canonicalized and sorted if the immediate
9170	  comparison fails, this makes it work around round-robin sites.
9171
917223 April 2010: Wouter
9173	- Squelch log message: sendto failed permission denied for
9174	  255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
9175	- Fix to fetch data as last resort more tenaciously.  When cycle
9176	  targets cause the server selection to believe there are more options
9177	  when they really are not there, the server selection is reinitiated.
9178	- Fix fetch from blacklisted dnssec lame servers as last resort.  The
9179	  server's IP address is then given in validator errors as well.
9180	- Fix local-zone type redirect that did not use the query name for
9181	  the answer rrset.
9182
918322 April 2010: Wouter
9184	- tag 1.4.4.
9185	- trunk contains 1.4.5 in development.
9186	- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
9187	  The validator error message was 'no signatures from ...'.
9188
918916 April 2010: Wouter
9190	- more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
9191	- tag 1.4.4rc1.
9192
919315 April 2010: Wouter
9194	- ECC-GOST algorithm number 12 that is assigned by IANA.  New test
9195	  example key and signatures for GOST.  GOST requires openssl-1.0.0.
9196	  GOST is still disabled by default.
9197
91989 April 2010: Wouter
9199	- Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
9200	  get into an endless loop, if 0x20 was enabled, and buffers are small
9201	  or particular broken packets are received.
9202	- Fix chain of trust with CNAME at an intermediate step, for the DS
9203	  processing proof.
9204
92058 April 2010: Wouter
9206	- Fix validation of queries with wildcard names (*.example).
9207
92086 April 2010: Wouter
9209	- Fix EDNS probe for .de DNSSEC testbed failure, where the infra
9210	  cache timeout coincided with a server update, the current EDNS
9211	  backoff is less sensitive, and does not cache the backoff unless
9212	  the backoff actually works and the domain is not expecting DNSSEC.
9213	- GOST support with correct algorithm numbers.
9214
92151 April 2010: Wouter
9216	- iana portlist updated.
9217
921824 March 2010: Wouter
9219	- unbound control flushed items are not counted when flushed again.
9220
922123 March 2010: Wouter
9222	- iana portlist updated.
9223
922422 March 2010: Wouter
9225	- unbound-host disables use-syslog from config file so that the
9226	  config file for the main server can be used more easily.
9227	- fix bug#301: unbound-checkconf could not parse interface
9228	  '0.0.0.0@5353', even though unbound itself worked fine.
9229
923019 March 2010: Wouter
9231	- fix fwd_ancil test to pass if the socket options are not supported.
9232
923318 March 2010: Wouter
9234	- Fixed random numbers for port, interface and server selection.
9235	  Removed very small bias.
9236	- Refer to the listing in unbound-control man page in the extended
9237	  statistics entry in the unbound.conf man page.
9238
923916 March 2010: Wouter
9240	- Fix interface-automatic for OpenBSD: msg.controllen was too small,
9241	  also assertions on ancillary data buffer.
9242	- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
9243	- for NSEC3 check if signatures are cached.
9244
924515 March 2010: Wouter
9246	- unit test for util/regional.c.
9247
924812 March 2010: Wouter
9249	- Reordered configure checks so fork and -lnsl -lsocket checks are
9250	  earlier, and thus later checks benefit from and do not hinder them.
9251	- iana portlist updated.
9252	- ldns tarball updated.
9253	- Fix python use when multithreaded.
9254	- Fix solaris python compile.
9255	- Include less in config.h and include per code file for ldns, ssl.
9256
925711 March 2010: Wouter
9258	- another memory allocation option: --enable-alloc-nonregional.
9259	  exposes the regional allocations to other memory purifiers.
9260	- fix for memory alignment in struct sock_list allocation.
9261	- Fix for MacPorts ldns without ssl default, unbound checks if ldns
9262	  has dnssec functionality and uses the builtin if not.
9263	- Fix daemonize on Solaris 10, it did not detach from terminal.
9264	- tag 1.4.3 created.
9265	- trunk is 1.4.4 in development.
9266	- spelling fix in validation error involving cnames.
9267
926810 March 2010: Wouter
9269	- --enable-alloc-lite works with test set.
9270	- portability in the testset: printf format conversions, prototypes.
9271
92729 March 2010: Wouter
9273	- tag 1.4.2 created.
9274	- trunk is 1.4.3 in development.
9275	- --enable-alloc-lite debug option.
9276
92778 March 2010: Wouter
9278	- iana portlist updated.
9279
92804 March 2010: Wouter
9281	- Fix crash in control channel code.
9282
92833 March 2010: Wouter
9284	- better casts in pipe code, brackets placed wrongly.
9285	- iana portlist updated.
9286
92871 March 2010: Wouter
9288	- make install depends on make all.
9289	- Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
9290	- --enable-checking: enables assertions but does not look nonproduction.
9291	- nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
9292	  nxdomain and nodata distinguished.
9293	- ldns tarball updated.
9294	- --disable-rpath fixed for libtool not found errors.
9295	- new fedora specfile from Fedora13 in contrib from Paul Wouters.
9296
929726 February 2010: Wouter
9298	- Fixup prototype for lexer cleanup in daemon code.
9299	- unbound-control list_stubs, list_forwards, list_local_zones and
9300	  list_local_data.
9301
930224 February 2010: Wouter
9303	- Fix scrubber bug that potentially let NS records through.  Reported
9304	  by Amanda Constant.
9305	- Also delete potential poison references from additional.
9306	- Fix: no classification of a forwarder as lame, throw away instead.
9307
930823 February 2010: Wouter
9309	- libunbound ub_ctx_get_option() added.
9310	- unbound-control set_option and get_option commands.
9311	- iana portlist updated.
9312
931318 February 2010: Wouter
9314	- A little more strict DS scrubbing.
9315	- No more blacklisting of unresponsive servers, a 2 minute timeout
9316	  is backed off to.
9317	- RD flag not enabled for dnssec-blacklisted tries, unless necessary.
9318	- pickup ldns compile fix, libdl for libcrypto.
9319	- log 'tcp connect: connection timed out' only in high verbosity.
9320	- unbound-control log_reopen command.
9321	- moved get_option code from unbound-checkconf to util/config_file.c
9322
932317 February 2010: Wouter
9324	- Disregard DNSKEY from authority section for chain of trust.
9325	  DS records that are irrelevant to a referral scrubbed.  Anti-poison.
9326	- iana portlist updated.
9327
932816 February 2010: Wouter
9329	- Check for 'no space left on device' (or other errors) when
9330	  writing updated autotrust anchors and print errno to log.
9331
933215 February 2010: Wouter
9333	- Fixed the requery protection, the TTL was 0, it is now 900 seconds,
9334	  hardcoded.  We made the choice to send out more conservatively,
9335	  protecting against an aggregate effect more than protecting a
9336	  single user (from their own folly, perhaps in case of misconfig).
9337
933812 February 2010: Wouter
9339	- Re-query pattern changed on validation failure.  To protect troubled
9340	  authority servers, unbound caches a failure for the DNSKEY or DS
9341	  records for the entire zone, and only retries that 900 seconds later.
9342	  This implies that only a handful of packets are sent extra to the
9343	  authority if the zone fails.
9344
934511 February 2010: Wouter
9346	- ldns tarball update for long label length syntax error fix.
9347	- iana portlist updated.
9348
93499 February 2010: Wouter
9350	- Fixup in compat snprintf routine, %f 1.02 and %g support.
9351	- include math.h for testbound test compile portability.
9352
93532 February 2010: Wouter
9354	- Updated url of IANA itar, interim trust anchor repository, in script.
9355
93561 February 2010: Wouter
9357	- iana portlist updated.
9358	- configure test for memcmp portability.
9359
936027 January 2010: Wouter
9361	- removed warning on format string in validator error log statement.
9362	- iana portlist updated.
9363
936422 January 2010: Wouter
9365	- libtool finish the install of unbound python dynamic library.
9366
936721 January 2010: Wouter
9368	- acx_nlnetlabs.m4 synchronised with nsd's version.
9369
937020 January 2010: Wouter
9371	- Fixup lookup trouble for parent-child domains on the first query.
9372
937314 January 2010: Wouter
9374	- Fixup ldns detection to also check for header files.
9375
937613 January 2010: Wouter
9377	- prefetch-key option that performs DNSKEY queries earlier in the
9378	  validation process, and that could halve the latency on DNSSEC
9379	  queries.  It takes some extra processing (CPU, a cache is needed).
9380
938112 January 2010: Wouter
9382	- Fix unbound-checkconf for auto-trust-anchor-file present checks.
9383
93848 January 2010: Wouter
9385	- Fix for parent-child disagreement code which could have trouble
9386	  when (a) ipv6 was disabled and (b) the TTL for parent and child
9387	  were different.  There were two bugs, the parent-side information
9388	  is fixed to no longer block lookup of child side information and
9389	  the iterator is fixed to no longer attempt to get ipv6 when it is
9390	  not enabled and then give up in failure.
9391	- test and fixes to make prefetch actually store the answer in the
9392	  cache.  Considers some rrsets 'already expired' but does not allow
9393	  overwriting of rrsets considered more secure.
9394
93957 January 2010: Wouter
9396	- Fixup python documentation (thanks Leo Vandewoestijne).
9397	- Work on cache prefetch feature.
9398	- Stats for prefetch, in log print stats, unbound-control stats
9399	  and in unbound_munin plugin.
9400
94016 January 2010: Wouter
9402	- iana portlist updated.
9403	- bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
9404	- verbose output includes parent-side-address notion for lameness.
9405	- documented val-log-level: 2 setting in example.conf and man page.
9406	- change unbound-control-setup from 1024(sha1) to 1536(sha256).
9407
94081 January 2010: Wouter
9409	- iana portlist updated.
9410
941122 December 2009: Wouter
9412	- configure with newer libtool 2.2.6b.
9413
941417 December 2009: Wouter
9415	- review comments.
9416	- tag 1.4.1.
9417	- trunk to version 1.4.2.
9418
941915 December 2009: Wouter
9420	- Answer to qclass=ANY queries, with class IN contents.
9421	  Test that validation also works.
9422	- updated ldns snapshot tarball with latest fixes (parsing records).
9423
942411 December 2009: Wouter
9425	- on IPv4 UDP turn off DF flag.
9426
942710 December 2009: Wouter
9428	- requirements.txt updated with design choice explanations.
9429	- Reading fixes: fix to set unlame when child confirms parent glue,
9430	  and fix to avoid duplicate addresses in delegation point.
9431	- verify_rrsig routine checks expiration last.
9432
94339 December 2009: Wouter
9434	- Fix Bug#287(reopened): update of ldns tarball with fix for parse
9435	  errors generated for domain names like '.example.com'.
9436	- Fix SOA excluded from negative DS responses.  Reported by Hauke
9437	  Lampe.  The negative cache did not include proper SOA records for
9438	  negative qtype DS responses which makes BIND barf on it, such
9439	  responses are now only used internally.
9440	- Fix negative cache lookup of closestencloser check of DS type bit.
9441
94428 December 2009: Wouter
9443	- Fix for lookup of parent-child disagreement domains, where the
9444	  parent-side glue works but it does not provide proper NS, A or AAAA
9445	  for itself, fixing domains such as motorcaravanners.eu.
9446	- Feature: you can specify a port number in the interface: line, so
9447	  you can bind the same interface multiple times at different ports.
9448
94497 December 2009: Wouter
9450	- Bug#287: Fix segfault when unbound-control remove nonexistent local
9451	  data.  Added check to tests.
9452
94531 December 2009: Wouter
9454	- Fix crash with module-config "iterator".
9455	- Added unit test that has "iterator" module-config.
9456
945730 November 2009: Wouter
9458	- bug#284: fix parse of # without end-of-line at end-of-file.
9459
946026 November 2009: Wouter
9461	- updated ldns with release candidate for version 1.6.3.
9462	- tag for 1.4.0 release.
9463	- 1.4.1 version in trunk.
9464	- Fixup major libtool version to 2 because of why_bogus change.
9465	  It was 1:5:0 but should have been 2:0:0.
9466
946723 November 2009: Wouter
9468	- Patch from David Hubbard for libunbound manual page.
9469	- Fixup endless spinning in unbound-control stats reported by
9470	  Attila Nagy.  Probably caused by clock reversal.
9471
947220 November 2009: Wouter
9473	- contrib/split-itar.sh contributed by Tom Hendrikx.
9474
947519 November 2009: Wouter
9476	- better argument help for unbound-control.
9477	- iana portlist updated.
9478
947917 November 2009: Wouter
9480	- noted multiple entries for multiple domain names in example.conf.
9481	- iana portlist updated.
9482
948316 November 2009: Wouter
9484	- Fixed signer detection of CNAME responses without signatures.
9485	- Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
9486	- Tests for CNAMEs to deeper trust anchors, secure and bogus.
9487	- svn tag 1.4.0rc1 made.
9488
948913 November 2009: Wouter
9490	- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
9491	- unbound-host does not fail on type ANY.
9492	- Fixed wireparse failure to put RRSIGs together with data in some
9493	  long ANY mix cases, which fixes validation failures.
9494
949512 November 2009: Wouter
9496	- iana portlist updated.
9497	- fix manpage errors reported by debian lintian.
9498	- review comments.
9499	- fixup very long vallog2 level error strings.
9500
950111 November 2009: Wouter
9502	- ldns tarball updated (to 1.6.2).
9503	- review comments.
9504
950510 November 2009: Wouter
9506	- Thanks to Surfnet found bug in new dnssec-retry code that failed
9507	  to combine well when combined with DLV and a particular failure.
9508	- Fixed unbound-control -h output about argument optionality.
9509	- review comments.
9510
95115 November 2009: Wouter
9512	- lint fixes and portability tests.
9513	- better error text for multiple domain keys in one autotrust file.
9514
95152 November 2009: Wouter
9516	- Fix bug where autotrust does not work when started with a DS.
9517	- Updated GOST unit tests for unofficial algorithm number 249
9518	  and DNSKEY-format changes in draft version -01.
9519
952029 October 2009: Wouter
9521	- iana portlist updated.
9522	- edns-buffer-size option, default 4096.
9523	- fixed do-udp: no.
9524
952528 October 2009: Wouter
9526	- removed abort on prealloc failure, error still printed but softfail.
9527	- iana portlist updated.
9528	- RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
9529	- ldns tarball updated (which also enables rsasha256 support).
9530
953127 October 2009: Wouter
9532	- iana portlist updated.
9533
95348 October 2009: Wouter
9535	- please doxygen
9536	- add val-log-level print to corner case (nameserver.epost.bg).
9537	- more detail to errors from insecure delegation checks.
9538	- Fix double time subtraction in negative cache reported by
9539	  Amanda Constant and Hugh Mahon.
9540	- Made new validator error string available from libunbound for
9541	  applications.  It is in result->why_bogus, a zero-terminated string.
9542	  unbound-host prints it by default if a result is bogus.
9543	  Also the errinf is public in module_qstate (for other modules).
9544
95457 October 2009: Wouter
9546	- retry for validation failure in DS and prime results. Less mem use.
9547	  unit test.  Provisioning in other tests for requeries.
9548	- retry for validation failure in DNSKEY in middle of chain of trust.
9549	  unit test.
9550	- retry for empty non terminals in chain of trust and unit test.
9551	- Fixed security bug where the signatures for NSEC3 records were not
9552	  checked when checking for absence of DS records.  This could have
9553	  enabled the substitution of an insecure delegation.
9554	- moved version number to 1.4.0 because of 1.3.4 release with only
9555	  the NSEC3 patch from the entry above.
9556	- val-log-level: 2 shows extended error information for validation
9557	  failures, but still one (longish) line per failure.  For example:
9558	  validation failure <example.com. DNSKEY IN>: signature expired from
9559	  192.0.2.4 for trust anchor example.com. while building chain of trust
9560	  validation failure <www.example.com. A IN>: no signatures from
9561	  192.0.2.6 for key example.com. while building chain of trust
9562
95636 October 2009: Wouter
9564	- Test set updated to provide additional ns lookup result.
9565	  The retry would attempt to fetch the data from other nameservers
9566	  for bogus data, and this needed to be provisioned in the tests.
9567
95685 October 2009: Wouter
9569	- first validation failure retry code.  Retries for data failures.
9570	  And unit test.
9571
95722 October 2009: Wouter
9573	- improve 5011 modularization.
9574	- fix unbound-host so -d can be given before -C.
9575	- iana portlist updated.
9576
957728 September 2009: Wouter
9578	- autotrust-anchor-file can read multiline input and $ORIGIN.
9579	- prevent integer overflow in holddown calculation. review fixes.
9580	- fixed race condition in trust point revocation. review fix.
9581	- review fixes to comments, removed unused code.
9582
958325 September 2009: Wouter
9584	- so-rcvbuf: 4m option added.  Set this on large busy servers to not
9585	  drop the occasional packet in spikes due to full socket buffers.
9586	  netstat -su keeps a counter of UDP dropped due to full buffers.
9587	- review of validator/autotrust.c, small fixes and comments.
9588
958923 September 2009: Wouter
9590	- 5011 query failed counts verification failures, not lookup failures.
9591	- 5011 probe failure handling fixup.
9592	- test unbound reading of original autotrust data.
9593	  The metadata per-key, such as key state (PENDING, MISSING, VALID) is
9594	  picked up, otherwise performs initial probe like usual.
9595
959622 September 2009: Wouter
9597	- autotrust test with algorithm rollover, new ordering of checks
9598	  assists in orderly rollover.
9599	- autotrust test with algorithm rollover to unknown algorithm.
9600	  checks if new keys are supported before adding them.
9601	- autotrust test with trust point revocation, becomes unsigned.
9602	- fix DNSSEC-missing-signature detection for minimal responses
9603	  for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
9604
960518 September 2009: Wouter
9606	- autotrust tests, fix trustpoint timer deletion code.
9607	  fix count of valid anchors during missing remove.
9608	- autotrust: pick up REVOKE even if not signed with known other keys.
9609
961017 September 2009: Wouter
9611	- fix compile of unbound-host when --enable-alloc-checks.
9612	- Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
9613	- Manual page fixes reported by Tony Finch.
9614
961516 September 2009: Wouter
9616	- Fix memory leak reported by Tao Ma.
9617	- Fix memstats test tool for log-time-ascii log format.
9618
961915 September 2009: Wouter
9620	- iana portlist updated.
9621
962210 September 2009: Wouter
9623	- increased MAXSYSLOGLEN so .bg key can be printed in debug output.
9624	- use linebuffering for log-file: output, this can be significantly
9625	  faster than the previous fflush method and enable some class of
9626	  resolvers to use high verbosity (for short periods).
9627	  Not on windows, because line buffering does not work there.
9628
96299 September 2009: Wouter
9630	- Fix bug where DNSSEC-bogus messages were marked with too high TTL.
9631	  The RRsets would still expire at the normal time, but this would
9632	  keep messages bogus in the cache for too long.
9633	- regression test for that bug.
9634	- documented that load_cache is meant for debugging.
9635
96368 September 2009: Wouter
9637	- fixup printing errors when load_cache, they were printed to the
9638	  SSL connection which broke, now to the log.
9639	- new ldns - with fixed parse of large SOA values.
9640
96417 September 2009: Wouter
9642	- autotrust testbound scenarios.
9643	- autotrust fix that failure count is written to file.
9644	- autotrust fix that keys may become valid after add holddown time
9645	  alone, before the probe returns.
9646
96474 September 2009: Wouter
9648	- Changes to make unbound work with libevent-2.0.3 alpha. (in
9649	  configure detection due to new ssl dependency in libevent)
9650	- do not call sphinx for documentation when python is disabled.
9651	- remove EV_PERSIST from libevent timeout code to make the code
9652	  compatible with the libevent-2.0.  Works with older libevent too.
9653	- fix memory leak in python code.
9654
96553 September 2009: Wouter
9656	- Got a patch from Luca Bruno for libunbound support on windows to
9657	  pick up the system resolvconf nameservers and hosts there.
9658	- included ldns updated (enum warning fixed).
9659	- makefile fix for parallel makes.
9660	- Patch from Zdenek Vasicek and Attila Nagy for using the source IP
9661	  from python scripts.  See pythonmod/examples/resip.py.
9662	- doxygen comment fixes.
9663
96642 September 2009: Wouter
9665	- TRAFFIC keyword for testbound. Simplifies test generation.
9666	  ${range lower val upper} to check probe timeout values.
9667	- test with 5011-prepublish rollover and revocation.
9668	- fix revocation of RR for autotrust, stray exclamation mark.
9669
96701 September 2009: Wouter
9671	- testbound variable arithmetic.
9672	- autotrust probe time is randomised.
9673	- autotrust: the probe is active and does not fetch from cache.
9674
967531 August 2009: Wouter
9676	- testbound variable processing.
9677
967828 August 2009: Wouter
9679	- fixup unbound-control lookup to print forward and stub servers.
9680
968127 August 2009: Wouter
9682	- autotrust: mesh answer callback is empty.
9683
968426 August 2009: Wouter
9685	- autotrust probing.
9686	- iana portlist updated.
9687
968825 August 2009: Wouter
9689	- fixup memleak in trust anchor unsupported algorithm check.
9690	- iana portlist updated.
9691	- autotrust options: add-holddown, del-holddown, keep-missing.
9692	- autotrust store revoked status of trust points.
9693	- ctime_r compat definition.
9694	- detect yylex_destroy() in configure.
9695	- detect SSL_get_compression_methods declaration in configure.
9696	- fixup DS lookup at anchor point with unsigned parent.
9697	- fixup DLV lookup for DS queries to unsigned domains.
9698
969924 August 2009: Wouter
9700	- cleaner memory allocation on exit. autotrust test routines.
9701	- free all memory on program exit, fix for ssl and flex.
9702
970321 August 2009: Wouter
9704	- autotrust: debug routines. Read,write and conversions work.
9705
970620 August 2009: Wouter
9707	- autotrust: save and read trustpoint variables.
9708
970919 August 2009: Wouter
9710	- autotrust: state table updates.
9711	- iana portlist updated.
9712
971317 August 2009: Wouter
9714	- autotrust: process events.
9715
971617 August 2009: Wouter
9717	- Fix so that servers are only blacklisted if they fail to reply
9718	  to 16 queries in a row and the timeout gets above 2 minutes.
9719	- autotrust work, split up DS verification of DNSKEYs.
9720
972114 August 2009: Wouter
9722	- unbound-control lookup prints out infra cache information, like RTT.
9723	- Fix bug in DLV lookup reported by Amanda from Secure64.
9724	  It could sometimes wrongly classify a domain as unsigned, which
9725	  does not give the AD bit on replies.
9726
972713 August 2009: Wouter
9728	- autotrust read anchor files. locked trust anchors.
9729
973012 August 2009: Wouter
9731	- autotrust import work.
9732
973311 August 2009: Wouter
9734	- Check for openssl compatible with gost if enabled.
9735	- updated unit test for GOST=211 code.
9736	  Nicer naming of test files.
9737	- iana portlist updated.
9738
97397 August 2009: Wouter
9740	- call OPENSSL_config() in unbound and unit test so that the
9741	  operator can use openssl.cnf for configuration options.
9742	- removed small memory leak from config file reader.
9743
97446 August 2009: Wouter
9745	- configure --enable-gost for GOST support, experimental
9746	  implementation of draft-dolmatov-dnsext-dnssec-gost-01.
9747	- iana portlist updated.
9748	- ldns tarball updated (with GOST support).
9749
97505 August 2009: Wouter
9751	- trunk moved to 1.3.4.
9752
97534 August 2009: Wouter
9754	- Added test that the examples from draft rsasha256-14 verify.
9755	- iana portlist updated.
9756	- tagged 1.3.3
9757
97583 August 2009: Wouter
9759	- nicer warning when algorithm not supported, tells you to upgrade.
9760	- iana portlist updated.
9761
976227 July 2009: Wouter
9763	- Updated unbound-cacti contribution from Dmitriy Demidov, with
9764	  the queue statistics displayed in its own graph.
9765	- iana portlist updated.
9766
976722 July 2009: Wouter
9768	- Fix bug found by Michael Tokarev where unbound would try to
9769	  prime the root servers even though forwarders are configured for
9770	  the root.
9771	- tagged 1.3.3rc1
9772
977321 July 2009: Wouter
9774	- Fix server selection, so that it waits for open target queries when
9775	  faced with lameness.
9776
977720 July 2009: Wouter
9778	- Ignore transient sendto errors, no route to host, and host, net down.
9779	- contrib/update-anchor.sh has -r option for root-hints.
9780	- feature val-log-level: 1 prints validation failures so you can
9781	  keep track of them during dnssec deployment.
9782
978316 July 2009: Wouter
9784	- fix replacement malloc code.  Used in crosscompile.
9785	- makedist -w creates crosscompiled setup.exe on fedora11.
9786
978715 July 2009: Wouter
9788	- dependencies for compat items, for crosscompile.
9789	- mingw32 crosscompile changes, dependencies and zipfile creation.
9790	  and with System.dll from the windows NSIS you can make setup.exe.
9791	- package libgcc_s_sjlj exception handler for NSISdl.dll.
9792
979314 July 2009: Wouter
9794	- updated ldns tarball for solaris x64 compile assistance.
9795	- no need to define RAND_MAX from config.h.
9796	- iana portlist updated.
9797	- configure changes and ldns update for mingw32 crosscompile.
9798
979913 July 2009: Wouter
9800	- Fix for crash at start on windows.
9801	- tag for release 1.3.2.
9802	- trunk has version 1.3.3.
9803	- Fix for ID bits on windows to use all 16. RAND_MAX was not
9804	  defined like you'd expect on mingw. Reported by Mees de Roo.
9805
98069 July 2009: Wouter
9807	- tag for release 1.3.1.
9808	- trunk has version 1.3.2.
9809
98107 July 2009: Wouter
9811	- iana portlist updated.
9812
98136 July 2009: Wouter
9814	- prettier error handling in SSL setup.
9815	- makedist.sh uname fix (same as ldns).
9816	- updated fedora spec file.
9817
98183 July 2009: Wouter
9819	- fixup linking when ldnsdir is "".
9820
982130 June 2009: Wouter
9822	- more lenient truncation checks.
9823
982429 June 2009: Wouter
9825	- ldns trunk r2959 imported as tarball, because of solaris cc compile
9826	  support for c99.  r2960 for better configure.
9827	- better wrongly_truncated check.
9828	- On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
9829	  avoid dropped packets at routers.
9830
983126 June 2009: Wouter
9832	- Fix EDNS fallback when EDNS works for short answers but long answers
9833	  are dropped.
9834
983522 June 2009: Wouter
9836	- fixup iter priv strict aliasing while preserving size of sockaddr.
9837	- iana portlist updated.  (one less port allocated, one more fraction
9838	  of a bit for security!)
9839	- updated fedora specfile in contrib from Paul Wouters.
9840
984119 June 2009: Wouter
9842	- Fixup strict aliasing warning in iter priv code.
9843	  and config_file code.
9844	- iana portlist updated.
9845	- harden-referral-path: handle cases where NS is in answer section.
9846
984718 June 2009: Wouter
9848	- Fix of message parse bug where (specifically) an NSEC and RRSIG
9849	  in the wrong order would be parsed, but put wrongly into internal
9850	  structures so that later validation would fail.
9851	- Extreme lenience for wrongly truncated replies where a positive
9852	  reply has an NS in the authority but no signatures.  They are
9853	  turned into minimal responses with only the (secure) answer.
9854	- autoconf 2.63 for configure.
9855	- python warnings suppress.  Keep python API away from header files.
9856
985717 June 2009: Wouter
9858	- CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
9859	  used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
9860
986116 June 2009: Wouter
9862	- Fixup opportunistic target query generation to it does not
9863	  generate queries that are known to fail.
9864	- Touchup on munin total memory report.
9865	- messages picked out of the cache by the iterator are checked
9866	  if their cname chain is still correct and if validation status
9867	  has to be reexamined.
9868
986915 June 2009: Wouter
9870	- iana portlist updated.
9871
987214 June 2009: Wouter
9873	- Fixed bug where cached responses would lose their security
9874	  status on second validation, which especially impacted dlv
9875	  lookups.  Reported by Hauke Lampe.
9876
987713 June 2009: Wouter
9878	- bug #254. removed random whitespace from example.conf.
9879
988012 June 2009: Wouter
9881	- Fixup potential wrong NSEC picked out of the cache.
9882	- If unfulfilled callbacks are deleted they are called with an error.
9883	- fptr wlist checks for mesh callbacks.
9884	- fwd above stub in configuration works.
9885
988611 June 2009: Wouter
9887	- Fix queries for type DS when forward or stub zones are there.
9888	  They are performed to higherup domains, and thus treated as if
9889	  going to higher zones when looking up the right forward or stub
9890	  server.  This makes a stub pointing to a local server that has
9891	  a local view of example.com signed with the same keys as are
9892	  publicly used work.  Reported by Johan Ihren.
9893	- Added build-unbound-localzone-from-hosts.pl to contrib, from
9894	  Dennis DeDonatis.  It converts /etc/hosts into config statements.
9895	- same thing fixed for forward-zone and DS, chain of trust from
9896	  public internet into the forward-zone works now.  Added unit test.
9897
98989 June 2009: Wouter
9899	- openssl key files are opened apache-style, when user is root and
9900	  before chrooting.  This makes permissions on remote-control key
9901	  files easier to set up.  Fixes bug #251.
9902	- flush_type and flush_name remove msg cache entries.
9903	- codereview - dp copy bogus setting fix.
9904
99058 June 2009: Wouter
9906	- Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
9907	  inadvertent behaviour.
9908	- 1.3.0 tarball for release created.
9909	- 1.3.1 development in svn trunk.
9910	- iana portlist updated.
9911	- fix lint from complaining on ldns/sha.h.
9912	- help compiler figure out aliasing in priv_rrset_bad() routine.
9913	- fail to configure with python if swig is not found.
9914	- unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
9915
99163 June 2009: Wouter
9917	- fixup bad free() when wrongly encoded DSA signature is seen.
9918	  Reported by Paul Wouters.
9919	- review comments from Matthijs.
9920
99212 June 2009: Wouter
9922	- --enable-sha2 option. The draft rsasha256 changed its algorithm
9923	  numbers too often.  Therefore it is more prudent to disable the
9924	  RSASHA256 and RSASHA512 support by default.
9925	- ldns trunk included as new tarball.
9926	- recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
9927
992829 May 2009: Wouter
9929	- fixup doc bug in README reported by Matthew Dempsky.
9930
993128 May 2009: Wouter
9932	- update iana port list
9933	- update ldns lib tarball
9934
993527 May 2009: Wouter
9936	- detect lack of IPv6 support on XP (with a different error code).
9937	- Fixup a crash-on-exit which was triggered by a very long queue.
9938	  Unbound would try to re-use ports that came free, but this is
9939	  of course not really possible because everything is deleted.
9940	  Most easily triggered on XP (not Vista), maybe because of the
9941	  network stack encouraging large messages backlogs.
9942	- change in debug statements.
9943	- Fixed bug that could cause a crash if root prime failed when there
9944	  were message backlogs.
9945
994626 May 2009: Wouter
9947	- Thanks again to Brett Carr, found an assertion that was not true.
9948	  Assertion checked if recursion parent query still existed.
9949
995029 April 2009: Wouter
9951	- Thanks to Brett Carr, caught windows resource leak, use
9952	  closesocket() and not close() on sockets or else the network stack
9953	  starts to leak handles.
9954	- Removed usage of windows Mutex because windows cannot handle enough
9955	  mutexes open.  Provide own mutex implementation using primitives.
9956
995728 April 2009: Wouter
9958	- created svn tag for 1.3.0.
9959
996027 April 2009: Wouter
9961	- optimised cname from cache.
9962	- ifdef windows functions in testbound.
9963
996423 April 2009: Wouter
9965	- fix for threadsafety in solaris thr_key_create() in tests.
9966	- iana portlist updated.
9967	- fix pylib test for Darwin.
9968	- fix pymod test for Darwin and a python threading bug in pymod init.
9969	- check python >= 2.4 in configure.
9970	- -ldl check for libcrypto 1.0.0beta.
9971
997221 April 2009: Wouter
9973	- fix for build outside sourcedir.
9974	- fix for configure script swig detection.
9975
997617 April 2009: Wouter
9977	- Fix reentrant in minievent handler for unix. Could have resulted
9978	  in spurious event callbacks.
9979	- timers do not take up a fd slot for winsock handler.
9980	- faster fix for winsock reentrant check.
9981	- fix rsasha512 unit test for new (interim) algorithm number.
9982	- fix test:ldns doesn't like DOS line endings in keyfiles on unix.
9983	- fix compile warning on ubuntu (configlexer fwrite return value).
9984	- move python include directives into CPPFLAGS instead of CFLAGS.
9985
998616 April 2009: Wouter
9987	- winsock event handler exit very quickly on signal, even if
9988	  under heavy load.
9989	- iana portlist updated.
9990	- fixup windows winsock handler reentrant problem.
9991
999214 April 2009: Wouter
9993	- bug #245: fix munin plugin, perform cleanup of stale lockfiles.
9994	- makedist.sh; better help text.
9995	- cache-min-ttl option and tests.
9996	- mingw detect error condition on TCP sockets (NOTCONN).
9997
99989 April 2009: Wouter
9999	- Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
10000	- ldns tarball updated.
10001	- iana portlist update.
10002	- detect GOST support in openssl-1.0.0-beta1, and fix compile problem
10003	  because that openssl defines the name STRING for itself.
10004
100056 April 2009: Wouter
10006	- windows compile fix.
10007	- Detect FreeBSD jail without ipv6 addresses assigned.
10008	- python libunbound wrapper unit test.
10009	- installs the following files. Default is to not build them.
10010	  	from configure --with-pythonmodule:
10011	  /usr/lib/python2.x/site-packages/unboundmodule.py
10012	  	from configure --with-pyunbound:
10013	  /usr/lib/python2.x/site-packages/unbound.py
10014	  /usr/lib/python2.x/site-packages/_unbound.so*
10015	  The example python scripts (pythonmod/examples and
10016	  libunbound/python/examples) are not installed.
10017	- python invalidate routine respects packed rrset ids and locks.
10018	- clock skew checks in unbound, config statements.
10019	- nxdomain ttl considerations in requirements.txt
10020
100213 April 2009: Wouter
10022	- Fixed a bug that caused messages to be stored in the cache too
10023	  long.  Hard to trigger, but NXDOMAINs for nameservers or CNAME
10024	  targets have been more vulnerable to the TTL miscalculation bug.
10025	- documentation test fixed for python addition.
10026
100272 April 2009: Wouter
10028	- pyunbound (libunbound python plugin) compiles using libtool.
10029	- documentation for pythonmod and pyunbound is generated in doc/html.
10030	- iana portlist updated.
10031	- fixed bug in unbound-control flush_zone where it would not flush
10032	  every message in the target domain.  This especially impacted
10033	  NXDOMAIN messages which could remain in the cache regardless.
10034	- python module test package.
10035
100361 April 2009: Wouter
10037	- suppress errors when trying to contact authority servers that gave
10038	  ipv6 AAAA records for their nameservers with ipv4 mapped contents.
10039	  Still tries to do so, could work when deployed in intranet.
10040	  Higher verbosity shows the error.
10041	- new libunbound calls documented.
10042	- pyunbound in libunbound/python. Removed compile warnings.
10043	  Makefile to make it.
10044
1004530 March 2009: Wouter
10046	- Fixup LDFLAGS from libevent sourcedir compile configure restore.
10047	- Fixup so no non-absolute rpaths are added.
10048	- Fixup validation of RRSIG queries, they are let through.
10049	- read /dev/random before chroot
10050	- checkconf fix no python checks when no python module enabled.
10051	- fix configure, pthread first, so other libs do not change outcome.
10052
1005327 March 2009: Wouter
10054	- nicer -h output. report linked libraries and modules.
10055	- prints modules in intuitive order (config file friendly).
10056	- python compiles easily on BSD.
10057
1005826 March 2009: Wouter
10059	- ignore swig varargs warnings with gcc.
10060	- remove duplicate example.conf text from python example configs.
10061	- outofdir compile fix for python.
10062	- pyunbound works.
10063	- print modules compiled in on -h. manpage.
10064
1006525 March 2009: Wouter
10066	- initial import of the python contribution from Zdenek Vasicek and
10067	  Marek Vavrusa.
10068	- pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
10069
1007024 March 2009: Wouter
10071	- more neat configure.ac. Removed duplicate config.h includes.
10072	- neater config.h.in.
10073	- iana portlist updated.
10074	- fix util/configlexer.c and solaris -std=c99 flag.
10075	- fix postcommit aclocal errors.
10076	- spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
10077	- swap order of host detect and libtool generation.
10078
1007923 March 2009: Wouter
10080	- added launchd plist example file for MacOSX to contrib.
10081	- deprecation test for daemon(3).
10082	- moved common configure actions to m4 include, prettier Makefile.
10083
1008420 March 2009: Wouter
10085	- bug #239: module-config entries order is important. Documented.
10086	- build fix for test asynclook.
10087
1008819 March 2009: Wouter
10089	- winrc/README.txt dos-format text file.
10090	- iana portlist updated.
10091	- use _beginthreadex() when available (performs stack alignment).
10092	- defaults for windows baked into configure.ac (used if on mingw).
10093
1009418 March 2009: Wouter
10095	- Added tests, unknown algorithms become insecure. fallback works.
10096	- Fix for and test for unknown algorithms in a trust anchor
10097	  definition.  Trust anchors with no supported algos are ignored.
10098	  This means a (higher)DS or DLV entry for them could succeed, and
10099	  otherwise they are treated as insecure.
10100	- domain-insecure: "example.com" statement added. Sets domain
10101	  insecure regardless of chain of trust DSs or DLVs. The inverse
10102	  of a trust-anchor.
10103
1010417 March 2009: Wouter
10105	- unit test for unsupported algorithm in anchor warning.
10106	- fixed so queries do not fail on opportunistic target queries.
10107
1010816 March 2009: Wouter
10109	- fixup diff error printout in contrib/update-itar.sh.
10110	- added contrib/unbound_cacti for statistics support in cacti,
10111	  contributed by Dmitriy Demidov.
10112
1011313 March 2009: Wouter
10114	- doxygen and lex/yacc on linux.
10115	- strip update-anchor on makedist -w.
10116	- fix testbound on windows.
10117	- default log to syslog for windows.
10118	- uninstaller can stop unbound - changed text on it to reflect that.
10119	- remove debugging from windows 'cron' actions.
10120
1012112 March 2009: Wouter
10122	- log to App.logs on windows prints executable identity.
10123	- fixup tests.
10124	- munin plugin fix benign locking error printout.
10125	- anchor-update for windows, called every 24 hours; unbound reloads.
10126
1012711 March 2009: Wouter
10128	- winsock event handler resets WSAevents after signalled.
10129	- winsock event handler tests if signals are really signalled.
10130	- install and service with log to file works on XP and Vista on
10131	  default install location.
10132	- on windows logging to the Application logbook works (as a service).
10133	- fix RUN_DIR on windows compile setting in makedist.
10134	- windows registry has Software\Unbound\ConfigFile element.
10135	  If does not exist, the default is used. The -c switch overrides it.
10136	- fix makedist version cleanup function.
10137
1013810 March 2009: Wouter
10139	- makedist -w strips out old rc.. and snapshot info from version.
10140	- setup.exe starts and stops unbound after install, before uninstall.
10141	- unbound-checkconf recognizes absolute pathnames on windows (C:...).
10142
101439 March 2009: Wouter
10144	- Nullsoft NSIS installer creation script.
10145
101465 March 2009: Wouter
10147	- fixup memory leak introduced on 18feb in mesh reentrant fix.
10148
101493 March 2009: Wouter
10150	- combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
10151	- service works on xp/vista, no config necessary (using defaults).
10152	- windows registry settings.
10153
101542 March 2009: Wouter
10155	- fixup --export-symbols to be -export-symbls for libtool.
10156	  This should fix extraneous symbols exported from libunbound.
10157	  Thanks to Ondrej Sury and Robert Edmonds for finding it.
10158	- iana portlist updated.
10159	- document FAQ entry on stub/forward zones and default blocking.
10160	- fix asynclook test app for libunbound not exporting symbols.
10161	- service install and remove utils that work with vista UAC.
10162
1016327 February 2009: Wouter
10164	- Fixup lexer, to not give warnings about fwrite. Appeared in
10165	  new lexer features.
10166	- makedistro functionality for mingw. Has RC support.
10167	- support spaces and backslashes in configured defaults paths.
10168	- register, deregister in service control manager.
10169
1017025 February 2009: Wouter
10171	- windres usage for application resources.
10172
1017324 February 2009: Wouter
10174	- isc moved their dlv key download location.
10175	- fixup warning on vista/mingw.
10176	- makedist -w for window zip distribution first version.
10177
1017820 February 2009: Wouter
10179	- Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
10180	  Nicer script layout.  Added url to site in -h output.
10181
1018219 February 2009: Wouter
10183	- unbound-checkconf and unbound print warnings when trust anchors
10184	  have unsupported algorithms.
10185	- added contrib/update-itar.sh  This script is similar to
10186	  update-anchor.sh, and updates from the IANA ITAR repository.
10187	  You can provide your own PGP key and trust repo, or can use the
10188	  builtin.  The program uses wget and gpg to work.
10189	- iana portlist updated.
10190	- update-itar.sh: using ftp:// urls because https godaddy certificate
10191	  is not available everywhere and then gives fatal errors.  The
10192	  security is provided by pgp signature.
10193
1019418 February 2009: Wouter
10195	- more cycle detection. Also for target queries.
10196	- fixup bug where during deletion of the mesh queries the callbacks
10197	  that were reentrant caused assertion failures. Keep the mesh in
10198	  a reentrant safe state.  Affects libunbound, reload of server,
10199	  on quit and flush_requestlist.
10200	- iana portlist updated.
10201
1020213 February 2009: Wouter
10203	- forwarder information now per-thread duplicated.
10204	  This keeps it read only for speed, with no locking necessary.
10205	- forward command for unbound control to change forwarders to use
10206	  on the fly.
10207	- document that unbound-host reads no config file by default.
10208	- updated iana portlist.
10209
1021012 February 2009: Wouter
10211	- call setusercontext if available (on BSD).
10212	- small refactor of stats clearing.
10213	- #227: flush_stats feature for unbound-control.
10214	- stats_noreset feature for unbound-control.
10215	- flush_requestlist feature for unbound-control.
10216	- libunbound version upped API (was changed 5 feb).
10217	- unbound-control status shows if root forwarding is in use.
10218	- slightly nicer memory management in iter-fwd code.
10219
1022010 February 2009: Wouter
10221	- keys with rfc5011 REVOKE flag are skipped and not considered when
10222	  validating data.
10223	- iana portlist updated
10224	- #226: dump_requestlist feature for unbound-control.
10225
102266 February 2009: Wouter
10227	- contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
10228	- iana portlist updated.
10229	- fixup EOL in include directive (reported by Paul Wouters).
10230	  You can no longer specify newlines in the names of included files.
10231	- config parser changed. Gives some syntax errors closer to where they
10232	  occurred. Does not enforce a space after keyword anymore.
10233	  Does not allow literal newlines inside quoted strings anymore.
10234	- verbosity level 5 logs customer IP for new requestlist entries.
10235	- test fix, lexer and cancel test.
10236	- new option log-time-ascii: yes  if you enable it prints timestamps
10237	  in the log file as Feb 06 13:45:26 (like syslog does).
10238	- detect event_base_new in libevent-1.4.1 and later and use it.
10239	- #231 unbound-checkconf -o option prints that value from config file.
10240	  Useful for scripting in management scripts and the like.
10241
102425 February 2009: Wouter
10243	- ldns 1.5.0 rc as tarball included.
10244	- 1.3.0 development continues:
10245	  change in libunbound API: ub_cancel can return an error, that
10246	  the async_id did not exist, or that it was already delivered.
10247	  The result could have been delivered just before the cancel
10248	  routine managed to acquire the lock, so a caller may get the
10249	  result at the same time they call cancel.  For this case,
10250	  ub_cancel tries to return an error code.
10251	  Fixes race condition in ub_cancel() libunbound function.
10252	- MacOSX Leopard cleaner text output from configure.
10253	- initgroups(3) is called to drop secondary group permissions, if
10254	  applicable.
10255	- configure option --with-ldns-builtin forces the use of the
10256	  included ldns package with the unbound source.  The -I include
10257	  is put before the others, so it avoids bad include files from
10258	  an older ldns install.
10259	- daemon(3) posix call is used when available.
10260	- testbound test for older fix added.
10261
102624 February 2009: Wouter
10263	- tag for release 1.2.1.
10264	- trunk setup for 1.3.0 development.
10265
102663 February 2009: Wouter
10267	- noted feature requests in doc/TODO.
10268	- printout more detailed errors on ssl certificate loading failures.
10269	- updated IANA portlist.
10270
1027116 January 2009: Wouter
10272	- more quiet about ipv6 network failures, i.e. when ipv6 is not
10273	  available (network unreachable). Debug still printed on high
10274	  verbosity.
10275	- unbound-host -4 and -6 options. Stops annoying ipv6 errors when
10276	  debugging with unbound-host -4 -d ...
10277	- more cycle detection for NS-check, addr-check, root-prime and
10278	  stub-prime queries in the iterator.  Avoids possible deadlock
10279	  when priming fails.
10280
1028115 January 2009: Wouter
10282	- bug #229: fixup configure checks for compilation with Solaris
10283	  Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
10284	- fixup suncc warnings.
10285	- fix bug where unbound could crash using libevent 1.3 and older.
10286	- update testset for recent retry change.
10287
1028814 January 2009: Wouter
10289	- 1.2.1 feature: negative caching for failed queries.
10290	  Queries that failed are cached for 5 seconds (NORR_TTL).
10291	  If the failure is local, like out of memory, it is not cached.
10292	- the TTL comparison for the cache used different comparisons,
10293	  causing many cache responses that used the iterator and validator
10294	  state machines unnecessarily.
10295	- retry from 4 to 5 so that EDNS drop retry is part of the first
10296	  query resolve attempt, and cached error does not stop EDNS fallback.
10297	- remove debug prints that protect against bad referrals.
10298	- honor QUIET=no on make commandline (or QUIET=yes ).
10299
1030013 January 2009: Wouter
10301	- fixed bug in lameness marking, removed printouts.
10302	- find NS rrset more cleanly for qtype NS.
10303	- Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
10304	  reporting and logs.
10305	- 1.2.1 feature: stops resolving AAAAs promiscuously when they
10306	  are in the negative cache.
10307
1030812 January 2009: Wouter
10309	- fixed bug in infrastructure lameness cache, did not lowercase
10310	  name of zone to hash when setting lame.
10311	- lameness debugging printouts.
10312
103139 January 2009: Wouter
10314	- created svn tag for 1.2.0 release.
10315	- svn trunk contains 1.2.1 version number.
10316	- iana portlist updated for todays list.
10317	- removed debug print.
10318
103198 January 2009: Wouter
10320	- new version of ldns-trunk (today) included as tarball, fixed
10321	  bug #224, building with -j race condition.
10322	- remove possible race condition in the test for race conditions.
10323
103247 January 2009: Wouter
10325	- version 1.2.0 in preparation.
10326	- feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
10327	  statements. (Adapted from patch by Paul Wouters).
10328	- typo fix and iana portlist updated.
10329	- porting testsuite; unused var warning, and type fixup.
10330
103316 January 2009: Wouter
10332	- fixup packet-of-death when compiled with --enable-debug.
10333	  A malformed packet could cause an internal assertion failure.
10334	- added test for HINFO canonicalisation behaviour.
10335	- fixup reported problem with transparent local-zone data where
10336	  queries with different type could get nxdomain. Now queries
10337	  with a different name get resolved normally, with different type
10338	  get a correct NOERROR/NODATA answer.
10339	- HINFO no longer downcased for validation, making unbound compatible
10340	  with bind and ldns.
10341	- fix reading included config files when chrooted.
10342	  Give full path names for include files.
10343	  Relative path names work if the start dir equals the working dir.
10344	- fix libunbound message transport when no packet buffer is available.
10345
103465 January 2009: Wouter
10347	- fixup getaddrinfo failure handling for remote control port.
10348	- added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
10349	- fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
10350	- comm_timer_set performs base_set operation after event_add.
10351
1035218 December 2008: Wouter
10353	- fixed bug reported by Duane Wessels: error in DLV lookup, would make
10354	  some zones that had correct DLV keys as insecure.
10355	- follows -rc makedist from ldns changes (no _rc).
10356	- ldns tarball updated with 1.4.1rc for DLV unit test.
10357	- verbose prints about recursion lame detection and server selection.
10358	- fixup BSD port for infra host storage. It hashed wrongly.
10359	- fixup makedist snapshot name generation.
10360	- do not reopen syslog to avoid dev/log dependency.
10361
1036217 December 2008: Wouter
10363	- follows ldns makedist.sh. -rc option. autom4te dir removed.
10364	- unbound-control status command.
10365	- extended statistics has a number of ipv6 queries counter.
10366	  contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
10367
1036816 December 2008: Wouter
10369	- follow makedist improvements from ldns, for maintainers prereleases.
10370	- snapshot version uses _ not - to help rpm distinguish the
10371	  version number.
10372
1037311 December 2008: Wouter
10374	- better fix for bug #219: use LOG_NDELAY with openlog() call.
10375	  Thanks to Tamas Tevesz.
10376
103779 December 2008: Wouter
10378	- bug #221 fixed: unbound checkconf checks if key files exist if
10379	  remote control is enabled. Also fixed NULL printf when not chrooted.
10380	- iana portlist updated.
10381
103823 December 2008: Wouter
10383	- Fix problem reported by Jaco Engelbrecht where unbound-control stats
10384	  freezes up unbound if this was compiled without threading, and
10385	  was using multiple processes.
10386	- iana portlist updated.
10387	- test for remote control with interprocess communication.
10388	- created command distribution mechanism so that remote control
10389	  commands other than 'stats' work on all processes in a nonthreaded
10390	  compiled version. dump/load cache work, on the first process.
10391	- fixup remote control local_data addition memory corruption bug.
10392
103931 December 2008: Wouter
10394	- SElinux policy files in contrib/selinux for the unbound daemon,
10395	  by Paul Wouters and Adam Tkac.
10396
1039725 November 2008: Wouter
10398	- configure complains when --without-ssl is given (bug #220).
10399	- skip unsupported feature tests on vista/mingw.
10400	- fixup testcode/streamtcp to work on vista/mingw.
10401	- root-hints test checks version of dig required.
10402	- blacklisted servers are polled at a low rate (1%) to see if they
10403	  come back up. But not if there is some other working server.
10404
1040524 November 2008: Wouter
10406	- document that the user of the server daemon needs read privileges
10407	  on the keys and certificates generated by unbound-control-setup.
10408	  This is different per system or distribution, usually, running the
10409	  script under the same username as the server uses suffices.
10410	  i.e.  sudo -u unbound unbound-control-setup
10411	- testset port to vista/mingw.
10412	- tcp_sigpipe to freebsd port.
10413
1041421 November 2008: Wouter
10415	- fixed tcp accept, errors were printed when they should not.
10416	- unbound-control-setup.sh removes read/write permissions other
10417	  from the keys it creates (as suggested by Dmitriy Demidov).
10418
1041920 November 2008: Wouter
10420	- fixup fatal error due to faulty error checking after tcp accept.
10421	- add check in rlimit to avoid integer underflow.
10422	- rlimit check with new formula; better estimate for number interfaces
10423	- nicer comments in rlimit check.
10424	- tag 1.1.1 created in svn.
10425	- trunk label is 1.1.2
10426
1042719 November 2008: Wouter
10428	- bug #219: fixed so that syslog which delays opening until the first
10429	  log line is written, gets a log line while not chroot'ed yet.
10430
1043118 November 2008: Wouter
10432	- iana portlist updated.
10433	- removed cast in unit test debug print that was not 64bit safe.
10434	- trunk back to 1.1.0; copied to tags 1.1.0 release.
10435	- trunk to has version number 1.1.1 again.
10436	- in 1.1.1; make clean nicer. grammar in manpage.
10437
1043817 November 2008: Wouter
10439	- theoretical fix for problems reported on mailing list.
10440	  If a delegation point has no A but only AAAA and do-ip6 is no,
10441	  resolution would fail. Fixed to ask for the A and AAAA records.
10442	  It has to ask for both always, so that it can fail quietly, from
10443	  TLD perspective, when a zone is only reachable on one transport.
10444	- test for above, only AAAA and doip6 is no. Fix causes A record
10445	  for nameserver to be fetched.
10446	- fixup address duplication on cache fillup for delegation points.
10447	- testset updated for new query answer requirements.
10448
1044914 November 2008: Wouter
10450	- created 1.1.0 release tag in svn.
10451	- trunk moved to 1.1.1
10452	- fixup unittest-neg for locking.
10453
1045413 November 2008: Wouter
10455	- added fedora init and specfile to contrib (by Paul Wouters).
10456	- added configure check for ldns 1.4.0 (using its compat funcs).
10457	- neater comments in worker.h.
10458	- removed doc/plan and updated doc/TODO.
10459	- silenced EHOSTDOWN (verbosity 2 or higher to see it).
10460	- review comments from Jelte, Matthijs. Neater code.
10461
1046212 November 2008: Wouter
10463	- add unbound-control manpage to makedist replace list.
10464
1046511 November 2008: Wouter
10466	- unit test for negative cache, stress tests the refcounting.
10467	- fix for refcounting error that could cause fptr_wlist fatal exit
10468	  in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
10469	  Attila Nagy for testing).
10470	- nicer comments in cachedump about failed RR to string conversion.
10471	- fix 32bit wrap around when printing large (4G and more) mem usage
10472	  for extended statistics.
10473
1047410 November 2008: Wouter
10475	- fixup the getaddrinfo compat code rename.
10476
104778 November 2008: Wouter
10478	- added configure check for eee build warning.
10479
104807 November 2008: Wouter
10481	- fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
10482	- detect nonblocking problems in network stack in configure script.
10483
104846 November 2008: Wouter
10485	- dname_priv must decompress the name before comparison.
10486	- iana portlist updated.
10487
104885 November 2008: Wouter
10489	- fixed possible memory leak in key_entry_key deletion.
10490	  Would leak a couple bytes when trust anchors were replaced.
10491	- if query and reply qname overlap, the bytes are skipped not copied.
10492	- fixed file descriptor leak when messages were jostled out that
10493	  had outstanding (TCP) replies.
10494	- DNAMEs used from cache have their synthesized CNAMEs initialized
10495	  properly.
10496	- fixed file descriptor leak for localzone type deny (for TCP).
10497	- fixed memleak at exit for nsec3 negative cached zones.
10498	- fixed memleak for the keyword 'nodefault' when reading config.
10499	- made verbosity of 'edns incapable peer' warning higher, so you
10500	  do not get spammed by it.
10501	- caught elusive Bad file descriptor error bug, that would print the
10502	  error while unnecessarily try to listen to a closed fd. Fixed.
10503
105044 November 2008: Wouter
10505	- fixed -Wwrite-strings warnings that result in better code.
10506
105073 November 2008: Wouter
10508	- fixup build process for Mac OSX linker, use ldns b32 compat funcs.
10509	- generated configure with autoconf-2.61.
10510	- iana portlist updated.
10511	- detect if libssl needs libdl.  For static linking with libssl.
10512	- changed to use new algorithm identifiers for sha256/sha512
10513	  from ldns 1.4.0 (need very latest version).
10514	- updated the included ldns tarball.
10515	- proper detection of SHA256 and SHA512 functions (not just sizes).
10516
1051723 October 2008: Wouter
10518	- a little more debug info for failure on signer names. prints names.
10519
1052022 October 2008: Wouter
10521	- CFLAGS are picked up by configure from the environment.
10522	- iana portlist updated.
10523	- updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
10524	- new stub-prime: yesno option. Default is off, so it does not prime.
10525	  can be turned on to get same behaviour as previous unbound release.
10526	- made automated test that checks if builtin root hints are uptodate.
10527	- finished draft-wijngaards-dnsext-resolver-side-mitigation
10528	  implementation. The unwanted-reply-threshold can be set.
10529	- fixup so fptr_whitelist test in alloc.c works.
10530
1053121 October 2008: Wouter
10532	- fix update-anchors.sh, so it does not report different RR order
10533	  as an update.  Sorts the keys in the file.  Updated copyright.
10534	- fixup testbound on windows, the command control pipe doesn't exist.
10535	- skip 08hostlib test on windows, no fork() available.
10536	- made unbound-remote work on windows.
10537
1053820 October 2008: Wouter
10539	- quench a log message that is debug only.
10540	- iana portlist updated.
10541	- do not query bogus nameservers.  It is like nameservers that have
10542	  the NS or A or AAAA record bogus are listed as donotquery.
10543	- if server selection is faced with only bad choices, it will
10544	  attempt to get more options to be fetched.
10545	- changed bogus-ttl default value from 900 to 60 seconds.
10546	  In anticipation that operator caused failures are more likely than
10547	  actual attacks at this time.  And thus repeated validation helps
10548	  the operators get the problem fixed sooner.  It makes validation
10549	  failures go away sooner (60 seconds after the zone is fixed).
10550	  Also it is likely to try different nameserver targets every minute,
10551	  so that if a zone is bad on one server but not another, it is
10552	  likely to pick up the 'correct' one after a couple minutes,
10553	  and if the TTL is big enough that solves validation for the zone.
10554	- fixup unbound-control compilation on windows.
10555
1055617 October 2008: Wouter
10557	- port Leopard/G5: fixup type conversion size_t/uint32.
10558	  please ranlib, stop file without symbols warning.
10559	- harden referral path now also validates the root after priming.
10560	  It looks up the root NS authoritatively as well as the root servers
10561	  and attempts to validate the entries.
10562
1056316 October 2008: Wouter
10564	- Fixup negative TTL values appearing (reported by Attila Nagy).
10565
1056615 October 2008: Wouter
10567	- better documentation for 0x20; remove fallback TODO, it is done.
10568	- harden-referral-path feature includes A, AAAA queries for glue,
10569	  as well as very careful NS caching (only when doing NS query).
10570	  A, AAAA use the delegation from the NS-query.
10571
1057214 October 2008: Wouter
10573	- fwd_three.tpkg test was flaky.  If the three requests hit the
10574	  wrong threads by chance (or bad OS) then the test would fail.
10575	  Made less flaky by increasing number of retries.
10576	- stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
10577	- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
10578	  Which includes the ldns_dname_absolute fix.
10579	- fwd_three test remains flaky now that unbound does not stop
10580	  listening when full.  Thus, removed timeout problem.
10581	  It may be serviced by three threads, or maybe by one.
10582	  Mostly only useful for lock-check testing now.
10583
1058413 October 2008: Wouter
10585	- fixed recursion servers deployed as authoritative detection, so
10586	  that as a last resort, a +RD query is sent there to get the
10587	  correct answer.
10588	- iana port list update.
10589	- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
10590
1059110 October 2008: Wouter
10592	- fixup tests - the negative cache contained the correct NSEC3s for
10593	  two tests that are supposed to fail to validate.
10594
105959 October 2008: Wouter
10596	- negative cache caps max iterations of NSEC3 done.
10597	- NSEC3 negative cache for qtype DS works.
10598
105998 October 2008: Wouter
10600	- NSEC negative cache for DS.
10601
106026 October 2008: Wouter
10603	- jostle-timeout option, so you can config for slow links.
10604	- 0x20 fallback code.  Tries 3xnumber of nameserver addresses
10605	  queries that must all be the same.  Sent to random nameservers.
10606	- documented choices for DoS, EDNS, 0x20.
10607
106082 October 2008: Wouter
10609	- fixup unlink of pidfile.
10610	- fixup SHA256 algorithm collation code.
10611	- contrib/update-anchor.sh does not overwrite anchors if not needed.
10612	  exits 0 when a restart is needed, other values if not.
10613	  so,  update-anchor.sh -d mydir && /etc/rc.d/unbound restart
10614	  can restart unbound exactly when needed.
10615
1061630 September 2008: Wouter
10617	- fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
10618	- tests for sha256 support and downgrade resistance.
10619	- RSASHA256 and RSASHA512 support (using the draft in dnsext),
10620	  using the drafted protocol numbers.
10621	- when using stub on localhost (127.0.0.1@10053) unbound works.
10622	  Like when running NSD to host a local zone, on the same machine.
10623	  The noprime feature. manpages more explanation. Added a test for it.
10624	- shorthand for reverse PTR,  local-data-ptr: "1.2.3.4 www.ex.com"
10625
1062629 September 2008: Wouter
10627	- EDNS lameness detection, if EDNS packets are dropped this is
10628	  detected, eventually.
10629	- multiple query timeout rtt backoff does not backoff too much.
10630
1063126 September 2008: Wouter
10632	- tests for remote-control.
10633	- small memory leak in exception during remote control fixed.
10634	- fixup for lock checking but not unchecking in remote control.
10635	- iana portlist updated.
10636
1063723 September 2008: Wouter
10638	- Msg cache is loaded. A cache load enables cache responses.
10639	- unbound-control flush [name], flush_type and flush_zone.
10640
1064122 September 2008: Wouter
10642	- dump_cache and load_cache statements in unbound-control.
10643	  RRsets are dumped and loaded correctly.
10644	  Msg cache is dumped.
10645
1064619 September 2008: Wouter
10647	- locking on the localdata structure.
10648	- add and remove local zone and data with unbound-control.
10649	- ldns trunk snapshot updated, make tests work again.
10650
1065118 September 2008: Wouter
10652	- fixup error in time calculation.
10653	- munin plugin improvements.
10654	- nicer abbreviations for high query types values (ixfr, axfr, any...)
10655	- documented the statistics output in unbound-control man page.
10656	- extended statistics prints out histogram, over unbound-control.
10657
1065817 September 2008: Wouter
10659	- locking for threadsafe bogus rrset counter.
10660	- ldns trunk no longer exports b32 functions, provide compat.
10661	- ldns tarball updated.
10662	- testcode/ldns-testpkts.c const fixups.
10663	- fixed rcode stat printout.
10664	- munin plugin in contrib.
10665	- stats always printout uptime, because stats plugins need it.
10666
1066716 September 2008: Wouter
10668	- extended-statistics: yesno config option.
10669	- unwanted replies spoof nearmiss detector.
10670	- iana portlist updated.
10671
1067215 September 2008: Wouter
10673	- working start, stop, reload commands for unbound-control.
10674	- test for unbound-control working; better exit value for control.
10675	- verbosity control via unbound-control.
10676	- unbound-control stats.
10677
1067812 September 2008: Wouter
10679	- removed browser control mentions. Proto speccy.
10680
1068111 September 2008: Wouter
10682	- set nonblocking on new TCP streams, because linux does not inherit
10683	  the socket options to the accepted socket.
10684	- fix TCP timeouts.
10685	- SSL protected connection between server and unbound-control.
10686
1068710 September 2008: Wouter
10688	- remove memleak in privacy addresses on reloads and quits.
10689	- remote control work.
10690
106919 September 2008: Wouter
10692	- smallapp/unbound-control-setup.sh script to set up certificates.
10693
106944 September 2008: Wouter
10695	- scrubber scrubs away private addresses.
10696	- test for private addresses. man page entry.
10697	- code refactored for name and address tree lookups.
10698
106993 September 2008: Wouter
10700	- options for 'DNS Rebinding' protection: private-address and
10701	  private-domain.
10702	- dnstree for reuse of routines that help with domain, addr lookups.
10703	- private-address and private-domain config option read, stored.
10704
107052 September 2008: Wouter
10706	- DoS protection features. Queries are jostled out to make room.
10707	- testbound can pass time, increasing the internal timer.
10708	- do not mark unsigned additionals bogus, leave unchecked, which
10709	  is removed too.
10710
107111 September 2008: Wouter
10712	- disallow nonrecursive queries for cache snooping by default.
10713	  You can allow is using access-control: <subnet> allow_snoop.
10714	  The defaults do allow access no authoritative data without RD bit.
10715	- two tests for it and fixups of tests for nonrec refused.
10716
1071729 August 2008: Wouter
10718	- version 1.1 number in trunk.
10719	- harden-referral-path option for query for NS records.
10720	  Default turns off expensive, experimental option.
10721
1072228 August 2008: Wouter
10723	- fixup logfile handling; it is created with correct permissions
10724	  again. (from bugfix#199).
10725	  Some errors are not written to logfile (pidfile writing, forking),
10726	  and these are only visible by using the -d commandline flag.
10727
1072827 August 2008: Wouter
10729	- daemon(3) is causing problems for people. Reverting the patch.
10730	  bug#200, and 199 and 203 contain sideline discussion on it.
10731	- bug#199 fixed: pidfile can be outside chroot. openlog is done before
10732	  chroot and drop permissions.
10733	- config option to set size of aggressive negative cache,
10734	  neg-cache-size.
10735	- bug#203 fixed: dlv has been implemented.
10736
1073726 August 2008: Wouter
10738	- test for insecure zone when DLV is in use, also does negative cache.
10739	- test for trustanchor when DLV is in use (the anchor works).
10740	- test for DLV used for a zone below a trustanchor.
10741	- added scrub filter for overreaching NSEC records and unit test.
10742	- iana portlist update
10743	- use of setresuid or setreuid when available.
10744	- use daemon(3) if available.
10745
1074625 August 2008: Wouter
10747	- realclean patch from Robert Edmonds.
10748
1074922 August 2008: Wouter
10750	- nicer debuglogging of DLV.
10751	- test with secure delegation inside the DLV repository.
10752
1075321 August 2008: Wouter
10754	- negative cache code linked into validator, for DLV use.
10755	  negative cache works for DLV.
10756	- iana portlist update.
10757	- dlv-anchor option for unit tests.
10758	- fixup NSEC_AT_APEX classification for short typemaps.
10759	- ldns-testns has subdomain checks, for unit tests.
10760
1076120 August 2008: Wouter
10762	- negative cache code, reviewed.
10763
1076418 August 2008: Wouter
10765	- changes info: in logfile to notice: info: or debug: depending on
10766	  the verbosity of the statements.  Better logfile message
10767	  classification.
10768	- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
10769
1077015 August 2008: Wouter
10771	- DLV nsec code fixed for better detection of closest existing
10772	  enclosers from NSEC responses.
10773	- DLV works, straight to the dlv repository, so not for production.
10774	- Iana port update.
10775
1077614 August 2008: Wouter
10777	- synthesize DLV messages from the rrset cache, like done for DS.
10778
1077913 August 2008: Wouter
10780	- bug #203: nicer do-auto log message when user sets incompatible
10781	  options.
10782	- bug #204: variable name ameliorated in log.c.
10783	- bug #206: in iana_update, no egrep, but awk use.
10784	- ldns snapshot r2699 taken (includes DLV type).
10785	- DLV work, config file element, trust anchor read in.
10786
1078712 August 2008: Wouter
10788	- finished adjusting testset to provide qtype NS answers.
10789
1079011 August 2008: Wouter
10791	- Fixup rrset security updates overwriting 2181 trust status.
10792	  This makes validated to be insecure data just as worthless as
10793	  nonvalidated data, and 2181 rules prevent cache overwrites to them.
10794	- Fix assertion fail on bogus key handling.
10795	- dnssec lameness detection works on first query at trust apex.
10796	- NS queries get proper cache and dnssec lameness treatment.
10797	- fixup compilation without pthreads on linux.
10798
107998 August 2008: Wouter
10800	- NS queries are done after every referral.
10801	  validator is used on those NS records (if anchors enabled).
10802
108037 August 2008: Wouter
10804	- Scrubber more strict. CNAME chains, DNAMEs from cache, other
10805	  irrelevant rrsets removed.
10806	- 1.0.2 released from 1.0 support branch.
10807	- fixup update-anchor.sh to work both in BSD shell and bash.
10808
108095 August 2008: Wouter
10810	- fixup DS test so apex nodata works again.
10811
108124 August 2008: Wouter
10813	- iana port update.
10814	- TODO update.
10815	- fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
10816	- added explanatory text for outgoing-port-permit in manpage.
10817
1081830 July 2008: Wouter
10819	- fixup bug qtype DS for unsigned zone and signed parent validation.
10820
1082125 July 2008: Wouter
10822	- added original copyright statement of OpenBSD arc4random code.
10823	- created tube signaling solution on windows, as a pipe replacement.
10824	  this makes background asynchronous resolution work on windows.
10825	- removed very insecure socketpair compat code. It also did not
10826	  work with event_waiting. Solved by pipe replacement.
10827	- unbound -h prints openssl version number as well.
10828
1082922 July 2008: Wouter
10830	- moved pipe actions to util/tube.c. easier porting and shared code.
10831	- check _raw() commpoint callbacks with fptr_wlist.
10832	- iana port update.
10833
1083421 July 2008: Wouter
10835	- #198: nicer entropy warning message. manpage OS hints.
10836
1083719 July 2008: Wouter
10838	- #198: fixup man page to suggest chroot entropy fix.
10839
1084018 July 2008: Wouter
10841	- branch for 1.0 support.
10842	- trunk work on tube.c.
10843
1084417 July 2008: Wouter
10845	- fix bug #196, compile outside source tree.
10846	- fix bug #195, add --with-username=user configure option.
10847	- print error and exit if started with config that requires more
10848	  fds than the builtin minievent can handle.
10849
1085016 July 2008: Wouter
10851	- made svn tag 1.0.1, trunk now 1.0.2
10852	- sha256 checksums enabled in makedist.sh
10853
1085415 July 2008: Wouter
10855	- Follow draft-ietf-dnsop-default-local-zones-06 added reverse
10856	  IPv6 example prefix to AS112 default blocklist.
10857	- fixup lookup of DS records by client with trustanchor for same.
10858	- libunbound ub_resolve, fix handling of error condition during setup.
10859	- lowered log_hex blocksize to fit through BSD syslog linesize.
10860	- no useless initialisation if getpwnam not available.
10861	- iana, ldns snapshot updated.
10862
108633 July 2008: Wouter
10864	- Matthijs fixed memory leaks in root hints file reading.
10865
1086626 June 2008: Wouter
10867	- fixup streamtcp bounds setting for udp mode, in the test framework.
10868	- contrib item for updating trust anchors.
10869
1087025 June 2008: Wouter
10871	- fixup fwd_ancil test typos.
10872	- Fix for newegg lameness : ok for qtype=A, but lame for others.
10873	- fixup unit test for infra cache, test lame merging.
10874	- porting to mingw, bind, listen, getsockopt and setsockopt error
10875	  handling.
10876
1087724 June 2008: Wouter
10878	- removed testcode/checklocks from production code compilation path.
10879	- streamtcp can use UDP mode (connected UDP socket), for testing IPv6
10880	  on windows.
10881	- fwd_ancil test fails if platform support is lacking.
10882
1088323 June 2008: Wouter
10884	- fixup minitpkg to cleanup on windows with its file locking troubles.
10885	- minitpkg shows skipped tests in report.
10886	- skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
10887	  ipv6 connectivity).
10888	- winsock event handler keeps track of sticky TCP events, that have
10889	  not been fully handled yet. when interest in the event(s) resumes,
10890	  they are sent again. When WOULDBLOCK is returned events are cleared.
10891	- skip tests that need signals when testing on mingw.
10892
1089318 June 2008: Wouter
10894	- open testbound replay files in binary mode, because fseek/ftell
10895	  do not work in ascii-mode on windows. The b does nothing on unix.
10896	  unittest and testbound tests work on windows (xp too).
10897	- ioctlsocket prints nicer error message.
10898	- fixed up some TCP porting for winsock.
10899	- lack of IPv6 gives a warning, no fatal error.
10900	- use WSAGetLastError() on windows instead of errno for some errors.
10901
1090217 June 2008: Wouter
10903	- outgoing num fds 32 by default on windows ; it supports less
10904	  fds for waiting on than unixes.
10905	- winsock_event minievent handler for windows. (you could also
10906	  attempt to link with libevent/libev ports for windows).
10907	- neater crypto check and gdi32 detection.
10908	- unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
10909
1091016 June 2008: Wouter
10911	- on windows, use windows threads, mutex and thread-local-storage(Tls).
10912	- detect if openssl needs gdi32.
10913	- if no threading, THREADS_DISABLED is defined for use in the code.
10914	- sets USE_WINSOCK if using ws2_32 on windows.
10915	- wsa_strerror() function for more readable errors.
10916	- WSA Startup and Cleanup called in unbound.exe.
10917
1091813 June 2008: Wouter
10919	- port mingw32, more signal ifdefs, detect sleep, usleep,
10920	  random, srandom (used inside the tests).
10921	- signed or unsigned FD_SET is cast.
10922
1092310 June 2008: Wouter
10924	- fixup warnings compiling on eeepc xandros linux.
10925
109269 June 2008: Wouter
10927	- in iteration response type code
10928	  * first check for SOA record (negative answer) before NS record
10929	    and lameness.
10930	  * check if no AA bit for non-forwarder, and thus lame zone.
10931	    In response to error report by Richard Doty for mail.opusnet.com.
10932	- fixup unput warning from lexer on freeBSD.
10933	- bug#183. pidfile, rundir, and chroot configure options. Also the
10934	  example.conf and manual pages get the configured defaults.
10935	  You can use: (or accept the defaults to /usr/local/etc/unbound/)
10936	  --with-conf-file=filename
10937	  --with-pidfile=filename
10938	  --with-run-dir=path
10939	  --with-chroot-dir=path
10940
109418 June 2008: Wouter
10942	- if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
10943	  Reported by Robert Edmonds.
10944	- iana port updated.
10945
109464 June 2008: Wouter
10947	- updated libtool files with newer version.
10948	- iana portlist updated.
10949
109503 June 2008: Wouter
10951	- fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
10952	  trailing dot is not used during comparison.
10953
109542 June 2008: Wouter
10955	- Jelte fixed bugs in my absence
10956	  - bug 178: fixed unportable shell usage in configure (relied on
10957	    bash shell).
10958	  - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
10959	  - bug 181: fixed buffer overflow in ldns (called by unbound to parse
10960	    config file parts).
10961	- fixes by Wouter
10962	  - bug 177: fixed compilation failure on opensuse, the
10963	    --disable-static configure flag caused problems.  (Patch from
10964	    Klaus Singvogel)
10965	  - bug 179: same fix as 177.
10966	  - bug 185: --disable-shared not passed along to ldns included with
10967	    unbound. Fixed so that configure parameters are passed to the
10968	    subdir configure script.
10969	    fixed that ./libtool is used always, you can still override
10970	    manually with ./configure libtool=mylibtool or set $libtool in
10971	    the environment.
10972	- update of the ldns tarball to current ldns svn version (fix 181).
10973	- bug 184: -r option for unbound-host, read resolv.conf for
10974	  forwarder. (Note that forwarder must support DNSSEC for validation
10975	  to succeed).
10976
1097723 May 2008: Wouter
10978	- mingw32 porting.
10979	  - test for sys/wait.h
10980	  - WSAEWOULDBLOCK test after nonblocking TCP connect.
10981	  - write_iov_buffer removed: unused and no struct iov on windows.
10982	  - signed/unsigned warning fixup mini_event.
10983	  - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
10984	  - skip signals that are not defined
10985	  - detect pwd.h.
10986	  - detect getpwnam, getrlimit, setsid, sbrk, chroot.
10987	  - default config has no chroot if chroot() unavailable.
10988	  - if no kill() then no pidfile is read or written.
10989	  - gmtime_r is replaced by nonthreadsafe alternative if unavail.
10990	    used in rrsig time validation errors.
10991
1099222 May 2008: Wouter
10993	- contrib unbound.spec from Patrick Vande Walle.
10994	- fixup bug#175: call tzset before chroot to have correct timestamps
10995	  in system log.
10996	- do not generate lex input and lex unput functions.
10997	- mingw port. replacement functions labelled _unbound.
10998	- fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
10999
1100019 May 2008: Wouter
11001	- fedora 9, check in6_pktinfo define in configure.
11002	- CREDITS fixup of history.
11003	- ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
11004
1100516 May 2008: Wouter
11006	- fixup for MacOSX hosts file reading (reported by John Dickinson).
11007	- created 1.0.0 svn tag.
11008	- trunk version 1.0.1.
11009
1101014 May 2008: Wouter
11011	- accepted patch from Ondrej Sury for library version libtool option.
11012	- configure --disable-rpath fixes up libtool for rpath trouble.
11013	  Adapted from debian package patch file.
11014
1101513 May 2008: Wouter
11016	- Added root ipv6 addresses to builtin root hints.
11017	- TODO modified for post 1.0 plans.
11018	- trunk version set to 1.0.0.
11019	- no unnecessary linking with librt (only when libevent/libev used).
11020
110217 May 2008: Wouter
11022	- fixup no-ip4 problem with error callback in outside network.
11023
1102425 April 2008: Wouter
11025	- DESTDIR is honored by the Makefile for rpms.
11026	- contrib files unbound.spec and unbound.init, builds working RPM
11027	  on FC7 Linux, a chrooted caching resolver, and libunbound.
11028	- iana ports update.
11029
1103024 April 2008: Wouter
11031	- chroot checks improved. working directory relative to chroot.
11032	  checks if config file path is inside chroot. Documentation on it.
11033	- nicer example.conf text.
11034	- created 0.11 tag.
11035
1103623 April 2008: Wouter
11037	- parseunbound.pl contrib update from Kai Storbeck for threads.
11038	- iana ports update
11039
1104022 April 2008: Wouter
11041	- ignore SIGPIPE.
11042	- unit test for SIGPIPE ignore.
11043
1104421 April 2008: Wouter
11045	- FEATURES document.
11046	- fixup reread of config file if it was given as a full path
11047	  and chroot was used.
11048
1104916 April 2008: Wouter
11050	- requirements doc, updated clean query returns.
11051	- parseunbound.pl update from Kai Storbeck.
11052	- sunos4 porting changes.
11053
1105415 April 2008: Wouter
11055	- fixup default rc.d pidfile location to /usr/local/etc.
11056	- iana ports updated.
11057	- copyright updated in ldns-testpkts to keep same as in ldns.
11058	- fixup checkconf chroot tests a bit more, chdir must be inside
11059	  chroot dir.
11060	- documented 'gcc: unrecognized -KPIC option' errors on Solaris.
11061	- example.conf values changed to /usr/local/etc/unbound
11062	- DSA test work.
11063	- DSA signatures: unbound is compatible with both encodings found.
11064	  It will detect and convert when necessary.
11065
1106614 April 2008: Wouter
11067	- got update for parseunbound.pl statistics script from Kai Storbeck.
11068	- tpkg tests for udp wait list.
11069	- documented 0x20 status.
11070	- fixup chroot and checkconf, it is much smarter now.
11071	- fixup DSA EVP signature decoding. Solution that Jelte found copied.
11072	- and check first sig byte for the encoding type.
11073
1107411 April 2008: Wouter
11075	- random port selection out of the configged ports.
11076	- fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
11077	- removed base_port.
11078	- created 256-port ephemeral space for the OS, 59802 available.
11079	- fixup consistency of port_if out array during heavy use.
11080
1108110 April 2008: Wouter
11082	- --with-libevent works with latest libevent 1.4.99-trunk.
11083	- added log file statistics perl script to contrib.
11084	- automatic iana ports update from makefile. 60058 available.
11085
110869 April 2008: Wouter
11087	- configure can detect libev(from its build directory) when passed
11088	  --with-libevent=/home/wouter/libev-3.2
11089	  libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
11090	- unused commpoints not listed in epoll list.
11091	- statistics-cumulative option so that the values are not reset.
11092	- config creates array of available ports, 61841 available,
11093	  it excludes <1024 and iana assigned numbers.
11094	  config statements to modify the available port numbers.
11095
110968 April 2008: Wouter
11097	- unbound tries to set the ulimit fds when started as server.
11098	  if that does not work, it will scale back its requirements.
11099
1110027 March 2008: Wouter
11101	- documented /dev/random symlink from chrootdir as FAQ entry.
11102
1110326 March 2008: Wouter
11104	- implemented AD bit signaling. If a query sets AD bit (but not DO)
11105	  then the AD bit is set in the reply if the answer validated.
11106	  Without including DNSSEC signatures. Useful if you have a trusted
11107	  path from the client to the resolver. Follows dnssec-updates draft.
11108
1110925 March 2008: Wouter
11110	- implemented check that for NXDOMAIN and NOERROR answers a query
11111	  section must be present in the reply (by the scrubber). And it must
11112	  be equal to the question sent, at least lowercase folded.
11113	  Previously this feature happened because the cache code refused
11114	  to store such messages. However blocking by the scrubber makes
11115	  sure nothing gets into the RRset cache. Also, this looks like a
11116	  timeout (instead of an allocation failure) and this retries are
11117	  done (which is useful in a spoofing situation).
11118	- RTT banding. Band size 400 msec, this makes band around zero (fast)
11119	  include unknown servers. This makes unbound explore unknown servers.
11120
111217 March 2008: Wouter
11122	- -C config feature for harvest program.
11123	- harvest handles CNAMEs too.
11124
111255 March 2008: Wouter
11126	- patch from Hugo Koji Kobayashi for iterator logs spelling.
11127
111284 March 2008: Wouter
11129	- From report by Jinmei Tatuya, rfc2181 trust value for remainder
11130	  of a cname trust chain is lower; not full answer_AA.
11131	- test for this fix.
11132	- default config file location is /usr/local/etc/unbound.
11133	  Thus prefix is used to determine the location. This is also the
11134	  chroot and pidfile default location.
11135
111363 March 2008: Wouter
11137	- Create 0.10 svn tag.
11138	- 0.11 version in trunk.
11139	- indentation nicer.
11140
1114129 February 2008: Wouter
11142	- documentation update.
11143	- fixup port to Solaris of perf test tool.
11144	- updated ldns-tarball with decl-after-statement fixes.
11145
1114628 February 2008: Wouter
11147	- fixed memory leaks in libunbound (during cancellation and wait).
11148	- libunbound returns the answer packet in full.
11149	- snprintf compat update.
11150	- harvest performs lookup.
11151	- ldns-tarball update with fix for ldns_dname_label.
11152	- installs to sbin by default.
11153	- install all manual pages (unbound-host and libunbound too).
11154
1115527 February 2008: Wouter
11156	- option to use caps for id randomness.
11157	- config file option use-caps-for-id: yes
11158	- harvest debug tool
11159
1116026 February 2008: Wouter
11161	- delay utility delays TCP as well. If the server that is forwarded
11162	  to has a TCP error, the delay utility closes the connection.
11163	- delay does REUSE_ADDR, and can handle a server that closes its end.
11164	- answers use casing from query.
11165
1116625 February 2008: Wouter
11167	- delay utility works. Gets decent thoughput too (>20000).
11168
1116922 February 2008: Wouter
11170	- +2% for recursions, if identical queries (except for destination
11171	  and query ID) in the reply list, avoid re-encoding the answer.
11172	- removed TODO items for optimizations that do not show up in
11173	  profile reports.
11174	- default is now minievent - not libevent. As its faster and
11175	  not needed for regular installs, only for very large port ranges.
11176	- loop check different speedup pkt-dname-reading, 1% faster for
11177	  nocache-recursion check.
11178	- less hashing during msg parse, 4% for recursion.
11179	- small speed fix for dname_count_size_labels, +1 or +2% recursion.
11180	- some speed results noted:
11181	  optimization resulted in +40% for recursion (cache miss) and
11182	  +70 to +80 for cache hits, and +96% for version.bind.
11183	  zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
11184	  www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
11185	  www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
11186	  So, unbound can be about equal qps to NSD in cache hits.
11187	  And about 3.4x faster than BIND in cache performance.
11188	- delay utility for testing.
11189
1119021 February 2008: Wouter
11191	- speedup of root-delegation message encoding by 15%.
11192	- minor speedup of compress tree_lookup, maybe 1%.
11193	- speedup of dname_lab_cmp and memlowercmp - the top functions in
11194	  profiler output, maybe a couple percent when it matters.
11195
1119620 February 2008: Wouter
11197	- setup speec_cache for need-ldns-testns in dotests.
11198	- check number of queued replies on incoming queries to avoid overload
11199	  on that account.
11200	- fptr whitelist checks are not disabled in optimize mode.
11201	- do-daemonize config file option.
11202	- minievent time share initializes time at start.
11203	- updated testdata for nsec3 new algorithm numbers (6, 7).
11204	- small performance test of packet encoding (root delegation).
11205
1120619 February 2008: Wouter
11207	- applied patch to unbound-host man page from Jan-Piet Mens.
11208	- fix donotquery-localhost: yes default (it erroneously was switched
11209	  to default 'no').
11210	- time is only gotten once and the value is shared across unbound.
11211	- unittest cleans up crypto, so that it has no memory leaks.
11212	- mini_event shares the time value with unbound this results in
11213	  +3% speed for cache responses and +9% for recursions.
11214	- ldns tarball update with new NSEC3 sign code numbers.
11215	- perform several reads per UDP operation. This improves performance
11216	  in DoS conditions, and costs very little in normal conditions.
11217	  improves cache response +50%, and recursions +10%.
11218	- modified asynclook test. because the callback from async is not
11219	  in any sort of lock (and thus can use all library functions freely),
11220	  this causes a tiny race condition window when the last lock is
11221	  released for a callback and a new cancel() for that callback.
11222	  The only way to remove this is by putting callbacks into some
11223	  lock window. I'd rather have the small possibility of a callback
11224	  for a cancelled function then no use of library functions in
11225	  callbacks. Could be possible to only outlaw process(), wait(),
11226	  cancel() from callbacks, by adding another lock, but I'd rather not.
11227
1122818 February 2008: Wouter
11229	- patch to unbound-host from Jan-Piet Mens.
11230	- unbound host prints errors if fails to configure context.
11231	- fixup perf to resend faster, so that long waiting requests do
11232	  not hold up the queue, they become lost packets or SERVFAILs,
11233	  or can be sent a little while later (i.e. processing time may
11234	  take long, but throughput has to be high).
11235	- fixup iterator operating in no cache conditions (RD flag unset
11236	  after a CNAME).
11237	- streamlined code for RD flag setting.
11238	- profiled code and changed dname compares to be faster.
11239	  The speedup is about +3% to +8% (depending on the test).
11240	- minievent tests for eintr and eagain.
11241
1124215 February 2008: Wouter
11243	- added FreeBSD rc.d script to contrib.
11244	- --prefix option for configure also changes directory: pidfile:
11245	  and chroot: defaults in config file.
11246	- added cache speed test, for cache size OK and cache too small.
11247
1124814 February 2008: Wouter
11249	- start without a config file (will complain, but start with
11250	  defaults).
11251	- perf test program works.
11252
1125313 February 2008: Wouter
11254	- 0.9 released.
11255	- 1.0 development. Printout ldns version on unbound -h.
11256	- start of perf tool.
11257	- bugfix to read empty lines from /etc/hosts.
11258
1125912 February 2008: Wouter
11260	- fixup problem with configure calling itself if ldns-src tarball
11261	  is not present.
11262
1126311 February 2008: Wouter
11264	- changed library to use ub_ instead of ub_val_ as prefix.
11265	- statistics output text nice.
11266	- etc/hosts handling.
11267	- library function to put logging to a stream.
11268	- set any option interface.
11269
112708 February 2008: Wouter
11271	- test program for multiple queries over a TCP channel.
11272	- tpkg test for stream tcp queries.
11273	- unbound replies to multiple TCP queries on a TCP channel.
11274	- fixup misclassification of root referral with NS in answer
11275	  when validating a nonrec query.
11276	- tag 0.9
11277	- layout of manpages, spelling fix in header, manpages process by
11278	  makedist, list asynclook and tcpstream tests as ldns-testns
11279	  required.
11280
112817 February 2008: Wouter
11282	- moved up all current level 2 to be level 3. And 3 to 4.
11283	  to make room for new debug level 2 for detailed information
11284	  for operators.
11285	- verbosity level 2. Describes recursion and validation.
11286	- cleaner configure script and fixes for libevent solaris.
11287	- signedness for log output memory sizes in high verbosity.
11288
112896 February 2008: Wouter
11290	- clearer explanation of threading configure options.
11291	- fixup asynclook test for nothreading (it creates only one process
11292	  to do the extended test).
11293	- changed name of ub_val_result_free to ub_val_resolve_free.
11294	- removes warning message during library linking, renamed
11295	  libunbound/unbound.c -> libunbound.c and worker to libworker.
11296	- fallback without EDNS if result is NOTIMPL as well as on FORMERR.
11297
112985 February 2008: Wouter
11299	- statistics-interval: seconds option added.
11300	- test for statistics option
11301	- ignore errors making directories, these can occur in parallel builds
11302	- fixup Makefile strip command and libunbound docs typo.
11303
1130431 January 2008: Wouter
11305	- bg thread/process reads and writes the pipe nonblocking all the time
11306	  so that even if the pipe is buffered or so, the bg thread does not
11307	  block, and services both pipes and queries.
11308
1130930 January 2008: Wouter
11310	- check trailing / on chrootdir in checkconf.
11311	- check if root hints and anchor files are in chrootdir.
11312	- no route to host tcp error is verbosity level 2.
11313	- removed unused send_reply_iov. and its configure check.
11314	- added prints of 'remote address is 1.2.3.4 port 53' to errors
11315	  from netevent; the basic socket errors.
11316
1131728 January 2008: Wouter
11318	- fixup uninit use of buffer by libunbound (query id, flags) for
11319	  local_zone answers.
11320	- fixup uninit warning from random.c; also seems to fix sporadic
11321	  sigFPE coming out of openssl.
11322	- made openssl entropy warning more silent for library use. Needs
11323	  verbosity 1 now.
11324	- fixup forgotten locks for rbtree_searches on ctx->query tree.
11325	- random generator cleanup - RND_STATE_SIZE removed, and instead
11326	  a super-rnd can be passed at init to chain init random states.
11327	- test also does lock checks if available.
11328	- protect config access in libworker_setup().
11329	- libevent doesn't like comm_base_exit outside of runloop.
11330	- close fds after removing commpoints only (for epoll, kqueue).
11331
1133225 January 2008: Wouter
11333	- added tpkg for asynclook and library use.
11334	- allows localhost to be queried when as a library.
11335	- fixup race condition between cancel and answer (in case of
11336	  really fast answers that beat the cancel).
11337	- please doxygen, put doxygen comment in one place.
11338	- asynclook -b blocking mode and test.
11339	- refactor asynclook, nicer code.
11340	- fixup race problems from openssl in rand init from library, with
11341	  a mutex around the rand init.
11342	- fix pass async_id=NULL to _async resolve().
11343	- rewrote _wait() routine, so that it is threadsafe.
11344	- cancelation is threadsafe.
11345	- asynclook extended test in tpkg.
11346	- fixed two races where forked bg process waits for (somehow shared?)
11347	  locks, so does not service the query pipe on the bg side.
11348	  Now those locks are only held for fg_threads and for bg_as_a_thread.
11349
1135024 January 2008: Wouter
11351	- tested the cancel() function.
11352	- asynclook -c (cancel) feature.
11353	- fix fail to allocate context actions.
11354	- make pipe nonblocking at start.
11355	- update plane for retry mode with caution to limit bandwidth.
11356	- fix Makefile for concurrent make of unbound-host.
11357	- renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
11358	- new calls to set forwarding added to header and docs.
11359
1136023 January 2008: Wouter
11361	- removed debug prints from if-auto, verb-algo enables some.
11362	- libunbound QUIT setup, remove memory leaks, when using threads
11363	  will share memory for passing results instead of writing it over
11364	  the pipe, only writes ID number over the pipe (towards the handler
11365	  thread that does process() ).
11366
1136722 January 2008: Wouter
11368	- library code for async in libunbound/unbound.c.
11369	- fix link testbound.
11370	- fixup exit bug in mini_event.
11371	- background worker query enter and result functions.
11372	- bg query test application asynclook, it looks up multiple
11373	  hostaddresses (A records) at the same time.
11374
1137521 January 2008: Wouter
11376	- libworker work, netevent raw commpoints, write_msg, serialize.
11377
1137818 January 2008: Wouter
11379	- touch up of manpage for libunbound.
11380	- support for IP_RECVDSTADDR (for *BSD ip4).
11381	- fix for BSD, do not use ip4to6 mapping, make two sockets, once
11382	  ip6 and once ip4, uses socket options.
11383	- goodbye ip4to6 mapping.
11384	- update ldns-testpkts with latest version from ldns-trunk.
11385	- updated makedist for relative ldns pathnames.
11386	- library API with more information inside the result structure.
11387	- work on background resolves.
11388
1138917 January 2008: Wouter
11390	- fixup configure in case -lldns is installed.
11391	- fixup a couple of doxygen warnings, about enum variables.
11392	- interface-automatic now copies the interface address from the
11393	  PKT_INFO structure as well.
11394	- manual page with library API, all on one page 'man libunbound'.
11395	- rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
11396
1139716 January 2008: Wouter
11398	- incoming queries to the server with TC bit on are replied FORMERR.
11399	- interface-automatic replied the wrong source address on localhost
11400	  queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
11401	  to use ifnum=-1 to mean 'no interface, use kernel route'.
11402
1140315 January 2008: Wouter
11404	- interface-automatic feature. experimental. Nice for anycast.
11405	- tpkg test for ip6 ancillary data.
11406	- removed debug prints.
11407	- porting experience, define for Solaris, test refined for BSD
11408	  compatibility. The feature probably will not work on OpenBSD.
11409	- makedist fixup for ldns-src in build-dir.
11410
1141114 January 2008: Wouter
11412	- in no debug sets NDEBUG to remove asserts.
11413	- configure --enable-debug is needed for dependency generation
11414	  for assertions and for compiler warnings.
11415	- ldns.tgz updated with ldns-trunk (where buffer.h is updated).
11416	- fix lint, unit test in optimize mode.
11417	- default access control allows ::ffff:127.0.0.1 v6mapped localhost.
11418
1141911 January 2008: Wouter
11420	- man page, warning removed.
11421	- added text describing the use of stub zones for private zones.
11422	- checkconf tests for bad hostnames (IP address), and for doubled
11423	  interface lines.
11424	- memory sizes can be given with 'k', 'Kb', or M or G appended.
11425
1142610 January 2008: Wouter
11427	- typo in example.conf.
11428	- made using ldns-src that is included the package more portable
11429	  by linking with .lo instead of .o files in the ldns package.
11430	- nicer do-ip6: yes/no documentation.
11431	- nicer linking of libevent .o files.
11432	- man pages render correctly on solaris.
11433
114349 January 2008: Wouter
11435	- fixup openssl RAND problem, when the system is not configured to
11436	  give entropy, and the rng needs to be seeded.
11437
114388 January 2008: Wouter
11439	- print median and quartiles with extensive logging.
11440
114414 January 2008: Wouter
11442	- document misconfiguration in private network.
11443
114442 January 2008: Wouter
11445	- fixup typo in requirements.
11446	- document that 'refused' is a better choice than 'drop' for
11447	  the access control list, as refused will stop retries.
11448
114497 December 2007: Wouter
11450	- unbound-host has a -d option to show what happens. This can help
11451	  with debugging (why do I get this answer).
11452	- fixup CNAME handling, on nodata, sets and display canonname.
11453	- dot removed from CNAME display.
11454	- respect -v for NXDOMAINs.
11455	- updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
11456	- size_t to int for portability of the header file.
11457	- fixup bogus handling.
11458	- dependencies and lint for unbound-host.
11459
114606 December 2007: Wouter
11461	- library resolution works in foreground mode, unbound-host app
11462	  receives data.
11463	- unbound-host prints rdata using ldns.
11464	- unbound-host accepts trust anchors, and prints validation
11465	  information when you give -v.
11466
114675 December 2007: Wouter
11468	- locking in context_new() inside the function.
11469	- setup of libworker.
11470
114714 December 2007: Wouter
11472	- minor Makefile fixup.
11473	- moved module-stack code out of daemon/daemon into services/modstack,
11474	  preparing for code-reuse.
11475	- move context into own header file.
11476	- context query structure.
11477	- removed unused variable pwd from checkconf.
11478	- removed unused assignment from outside netw.
11479	- check timeval length of string.
11480	- fixup error in val_utils getsigner.
11481	- fixup same (*var) error in netblocktostr.
11482	- fixup memleak on parse error in localzone.
11483	- fixup memleak on packet parse error.
11484	- put ; after union in parser.y.
11485	- small hardening in iter_operate against iq==NULL.
11486	- hardening, if error reply with rcode=0 (noerror) send servfail.
11487	- fixup same (*var) error in find_rrset in msgparse, was harmless.
11488	- check return value of evtimer_add().
11489	- fixup lockorder in lruhash_reclaim(), building up a list of locked
11490	  entries one at a time. Instead they are removed and unlocked.
11491	- fptr_wlist for markdelfunc.
11492	- removed is_locked param from lruhash delkeyfunc.
11493	- moved bin_unlock during bin_split purely to please.
11494
114953 December 2007: Wouter
11496	- changed checkconf/ to smallapp/ to make room for more support tools.
11497	  (such as unbound-host).
11498	- install dirs created with -m 755 because they need to be accessible.
11499	- library extensive featurelist added to TODO.
11500	- please doxygen, lint.
11501	- library test application, with basic functionality.
11502	- fix for building in a subdirectory.
11503	- link lib fix for Leopard.
11504
1150530 November 2007: Wouter
11506	- makefile that creates libunbound.la, basic file or libunbound.a
11507	  when creating static executables (no libtool).
11508	- more API setup.
11509
1151029 November 2007: Wouter
11511	- 0.9 public API start.
11512
1151328 November 2007: Wouter
11514	- Changeup plan for 0.8 - no complication needed, a simple solution
11515	  has been chosen for authoritative features.
11516	- you can use single quotes in the config file, so it is possible
11517	  to specify TXT records in local data.
11518	- fixup small memory problem in implicit transparent zone creation.
11519	- test for implicit zone creation and multiple RR RRsets local data.
11520	- local-zone nodefault test.
11521	- show testbound testlist on commit.
11522	- iterator normalizer changes CNAME chains ending in NXDOMAIN where
11523	  the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
11524	  domain exists).
11525	- nicer verbosity: 0 and 1 levels.
11526	- lower nonRDquery chance of eliciting wrongly typed validation
11527	  requiring message from the cache.
11528	- fix for nonRDquery validation typing; nodata is detected when
11529	  SOA record in auth section (all validation-requiring nodata messages
11530	  have a SOA record in authority, so this is OK for the validator),
11531	  and NS record is needed to be a referral.
11532	- duplicate checking when adding NSECs for a CNAME, and test.
11533	- created svn tag 0.8, after completing testbed tests.
11534
1153527 November 2007: Wouter
11536	- per suggestion in rfc2308, replaced default max-ttl value with 1 day.
11537	- set size of msgparse lookup table to 32, from 1024, so that its size
11538	  is below the 2048 regional large size threshold, and does not cause
11539	  a call to malloc when a message is parsed.
11540	- update of memstats tool to print number of allocation calls.
11541	  This is what is taking time (not space) and indicates the avg size
11542	  of the allocations as well. region_alloc stat is removed.
11543
1154422 November 2007: Wouter
11545	- noted EDNS in-the-middle dropping trouble as a TODO.
11546	  At this point theoretical, no user trouble has been reported.
11547	- added all default AS112 zones.
11548	- answers from local zone content.
11549		* positive answer, the rrset in question
11550		* nodata answer (exist, but not that type).
11551		* nxdomain answer (domain does not exist).
11552		* empty-nonterminal answer.
11553		* But not: wildcard, nsec, referral, rrsig, cname/dname,
11554			or additional section processing, NS put in auth.
11555	- test for correct working of static and transparent and couple
11556	  of important defaults (localhost, as112, reverses).
11557	  Also checks deny and refuse settings.
11558	- fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
11559
1156021 November 2007: Wouter
11561	- local zone internal data setup.
11562
1156320 November 2007: Wouter
11564	- 0.8 - str2list config support for double string config options.
11565	- local-zone and local-data options, config storage and documentation.
11566
1156719 November 2007: Wouter
11568	- do not downcase NSEC and RRSIG for verification. Follows
11569	  draft-ietf-dnsext-dnssec-bis-updates-06.txt.
11570	- fixup leaking unbound daemons at end of tests.
11571	- README file updated.
11572	- nice libevent not found error.
11573	- README talks about gnu make.
11574	- 0.8: unit test for addr_mask and fixups for it.
11575	  and unit test for addr_in_common().
11576	- 0.8: access-control config file element.
11577	  and unit test rpl replay file.
11578	- 0.8: fixup address reporting from netevent.
11579
1158016 November 2007: Wouter
11581	- privilege separation is not needed in unbound at this time.
11582	  TODO item marked as such.
11583	- created beta-0.7 branch for support.
11584	- tagged 0.7 for beta release.
11585	- moved trunk to 0.8 for 0.8(auth features) development.
11586	- 0.8: access control list setup.
11587
1158815 November 2007: Wouter
11589	- review fixups from Jelte.
11590
1159114 November 2007: Wouter
11592	- testbed script does not recreate configure, since its in svn now.
11593	- fixup checkconf test so that it does not test
11594	  /etc/unbound/unbound.conf.
11595	- tag 0.6.
11596
1159713 November 2007: Wouter
11598	- remove debug print.
11599	- fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
11600
1160112 November 2007: Wouter
11602	- fixup signal handling where SIGTERM could be ignored if a SIGHUP
11603	  arrives later on.
11604	- bugreports to unbound-bugs@nlnetlabs.nl
11605	- fixup testbound so it exits cleanly.
11606	- cleanup the caches on a reload, so that rrsetID numbers won't clash.
11607
116089 November 2007: Wouter
11609	- took ldns snapshot in repo.
11610	- default config file is /etc/unbound/unbound.conf.
11611	  If it doesn't exist, it is installed with the doc/example.conf file.
11612	  The file is not deleted on uninstall.
11613	- default listening is not all, but localhost interfaces.
11614
116158 November 2007: Wouter
11616	- Fixup chroot and drop user privileges.
11617	- new L root ip address in default hints.
11618
116191 November 2007: Wouter
11620	- Fixup of crash on reload, due to anchors in env not NULLed after
11621	  dealloc during deinit.
11622	- Fixup of chroot call. Happens after privileges are dropped, so
11623	  that checking the passwd entry still works.
11624	- minor touch up of clear() hashtable function.
11625	- VERB_DETAIL prints out what chdir, username, chroot is being done.
11626	- when id numbers run out, caches are cleared, as in design notes.
11627	  Tested with a mock setup with very few bits in id, it worked.
11628	- harden-dnssec-stripped: yes is now default. It insists on dnssec
11629	  data for trust anchors. Included tests for the feature.
11630
1163131 October 2007: Wouter
11632	- cache-max-ttl config option.
11633	- building outside sourcedir works again.
11634	- defaults more secure:
11635		username: "unbound"
11636		chroot: "/etc/unbound"
11637	  The operator can override them to be less secure ("") if necessary.
11638	- fix horrible oversight in sorting rrset references in a message,
11639	  sort per reference key pointer, not on referencepointer itself.
11640	- pidfile: "/etc/unbound/unbound.pid" is now the default.
11641	- tests changed to reflect the updated default.
11642	- created hashtable clear() function that respects locks.
11643
1164430 October 2007: Wouter
11645	- fixup assertion failure that relied on compressed names to be
11646	  smaller than uncompressed names. A packet from comrite.com was seen
11647	  to be compressed to a larger size. Added it as unit test.
11648	- quieter logging at low verbosity level for common tcp messages.
11649	- no greedy TTL update.
11650
1165123 October 2007: Wouter
11652	- fixup (grand-)parent problem for dnssec-lameness detection.
11653	- fixup tests to do additional section processing for lame replies,
11654	  since the detection needs that.
11655	- no longer trust in query section in reply during dnssec lame detect.
11656	- dnssec lameness does not make the server never ever queried, but
11657	  non-preferred. If no other servers exist or answer, the dnssec lame
11658	  server is used; the fastest dnssec lame server is chosen.
11659	- added test then when trust anchor cannot be primed (nodata), the
11660	  insecure mode from unbound works.
11661	- Fixup max queries per thread, any more are dropped.
11662
1166322 October 2007: Wouter
11664	- added donotquerylocalhost config option. Can be turned off for
11665	  out test cases.
11666	- ISO C compat changes.
11667	- detect RA-no-AA lameness, as LAME.
11668	- DNSSEC-lameness detection, as LAME.
11669	  See notes in requirements.txt for choices made.
11670	- tests for lameness detection.
11671	- added all to make test target; need unbound for fwd tests.
11672	- testbound does not pollute /etc/unbound.
11673
1167419 October 2007: Wouter
11675	- added configure (and its files) to svn, so that the trunk is easier
11676	  to use. ./configure, config.guess, config.sub, ltmain.sh,
11677	  and config.h.in.
11678	- added yacc/lex generated files, util/configlexer.c,
11679	  util/configparser.c util/configparser.h, to svn.
11680	- without lex no attempt to use it.
11681	- unsecure response validation collated into one block.
11682	- remove warning about const cast of cfgfile name.
11683	- outgoing-interfaces can be different from service interfaces.
11684	- ldns-src configure is done during unbound configure and
11685	  ldns-src make is done during unbound make, and so inherits the
11686	  make arguments from the unbound make invocation.
11687	- nicer error when libevent problem causes instant exit on signal.
11688	- read root hints from a root hint file (like BIND does).
11689
1169018 October 2007: Wouter
11691	- addresses are logged with errors.
11692	- fixup testcode fake event to remove pending before callback
11693	  since the callback may create new pending items.
11694	- tests updated because retries are now in iterator module.
11695	- ldns-testpkts code is checked for differences between unbound
11696	  and ldns by makedist.sh.
11697	- ldns trunk from today added in svn repo for fallback in case
11698	  no ldns is installed on the system.
11699	  make download_ldns refreshes the tarball with ldns svn trunk.
11700	- ldns-src.tar.gz is used if no ldns is found on the system, and
11701	  statically linked into unbound.
11702	- start of regional allocator code.
11703	- regional uses less memory and variables, simplified code.
11704	- remove of region-allocator.
11705	- alloc cache keeps a cache of recently released regional blocks,
11706	  up to a maximum.
11707	- make unit test cleanly free memory.
11708
1170917 October 2007: Wouter
11710	- fixup another cycle detect and ns-addr timeout resolution bug.
11711	  This time by refusing delegations from the cache without addresses
11712	  when resolving a mandatory-glue nameserver-address for that zone.
11713	  We're going to have to ask a TLD server anyway; might as well be
11714	  the TLD server for this name. And this resolves a lot of cases where
11715	  the other nameserver names lead to cycles or are not available.
11716	- changed random generator from random(3) clone to arc4random wrapped
11717	  for thread safety. The random generator is initialised with
11718	  entropy from the system.
11719	- fix crash where failure to prime DNSKEY tried to print null pointer
11720	  in the log message.
11721	- removed some debug prints, only verb_algo (4) enables them.
11722	- fixup test; new random generator took new paths; such as one
11723	  where no scripted answer was available.
11724	- mark insecure RRs as insecure.
11725	- fixup removal of nonsecure items from the additional.
11726	- reduced timeout values to more realistic, 376 msec (262 msec has
11727	  90% of roundtrip times, 512 msec has 99% of roundtrip times.)
11728	- server selection failover to next server after timeout (376 msec).
11729
1173016 October 2007: Wouter
11731	- no malloc in log_hex.
11732	- assertions around system calls.
11733	- protect against gethostname without ending zero.
11734	- ntop output is null terminated by unbound.
11735	- pidfile content null termination
11736	- various snprintf use sizeof(stringbuf) instead of fixed constant.
11737	- changed loopdetect % 8 with & 0x7 since % can become negative for
11738	  weird negative input and particular interpretation of integer math.
11739	- dname_pkt_copy checks length of result, to protect result buffers.
11740	  prints an error, this should not happen. Bad strings should have
11741	  been rejected earlier in the program.
11742	- remove a size_t underflow from msgreply size func.
11743
1174415 October 2007: Wouter
11745	- nicer warning.
11746	- fix IP6 TCP, wrong definition check. With test package.
11747	- fixup the fact that the query section was not compressed to,
11748	  the code was there but was called by value instead of by reference.
11749	  And test for the case, uses xxd and nc.
11750	- more portable ip6 check for sockaddr types.
11751
117528 October 2007: Wouter
11753	- --disable-rpath option in configure for 64bit systems with
11754	  several dynamic lib dirs.
11755
117567 October 2007: Wouter
11757	- fixup tests for no AD bit in non-DO queries.
11758	- test that makes sure AD bit is not set on non-DO query.
11759
117606 October 2007: Wouter
11761	- removed logfile open early. It did not have the proper permissions;
11762	  it was opened as root instead of the user. And we cannot change user
11763	  id yet, since chroot and bind ports need to be done.
11764	- callback checks for event callbacks done from mini_event. Because
11765	  of deletions cannot do this from netevent. This means when using
11766	  libevent the protection does not work on event-callbacks.
11767	- fixup too small reply (did not zero counts).
11768	- fixup reply no longer AD bit when query without DO bit.
11769
117705 October 2007: Wouter
11771	- function pointer whitelist.
11772
117734 October 2007: Wouter
11774	- overwrite sensitive random seed value after use.
11775	- switch to logfile very soon if not -d (console attached).
11776	- error messages do not reveal the trustanchor contents.
11777	- start work on function pointer whitelists.
11778
117793 October 2007: Wouter
11780	- fix for multiple empty nonterminals, after multiple DSes in the
11781	  chain of trust.
11782	- mesh checks if modules are looping, and stops them.
11783	- refetch with CNAMEd nameserver address regression test added.
11784	- fixup line count bug in testcode, so testbound prints correct line
11785	  number with parse errors.
11786	- unit test for multiple ENT case.
11787	- fix for cname out of validated unsec zone.
11788	- fixup nasty id=0 reuse. Also added assertions to detect its
11789	  return (the assertion catches in the existing test cases).
11790
117911 October 2007: Wouter
11792	- skip F77, CXX, objC tests in configure step.
11793	- fixup crash in refetch glue after a CNAME.
11794	  and protection against similar failures (with error print).
11795
1179628 September 2007: Wouter
11797	- test case for unbound-checkconf, fixed so it also checks the
11798	  interface: statements.
11799
1180026 September 2007: Wouter
11801	- SIGHUP will reopen the log file.
11802	- Option to log to syslog.
11803	- please lint, fixup tests (that went to syslog on open, oops).
11804	- config check program.
11805
1180625 September 2007: Wouter
11807	- tests for NSEC3. Fixup bitmap checks for NSEC3.
11808	- positive ANY response needs to check if wildcard expansion, and
11809	  check that original data did not exist.
11810	- tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
11811	  delegation, for abuse of child zone apex nsec3.
11812	- create 0.5 release tag.
11813
1181424 September 2007: Wouter
11815	- do not make test programs by default.
11816	- But 'make test' will perform all of the tests.
11817	- Advertise builtin select libevent alternative when no libevent
11818	  is found.
11819	- signit can generate NSEC3 hashes, for generating tests.
11820	- multiple nsec3 parameters in message test.
11821	- too high nsec3 iterations becomes insecure test.
11822
1182321 September 2007: Wouter
11824	- fixup empty_DS_name allocated in wrong region (port DEC Alpha).
11825	- fixup testcode lock safety (port FreeBSD).
11826	- removes subscript has type char warnings (port Solaris 9).
11827	- fixup of field with format type to int (port MacOS/X intel).
11828	- added test for infinite loop case in nonRD answer validation.
11829	  It was a more general problem, but hard to reproduce. When an
11830	  unsigned rrset is being validated and the key fetched, the DS
11831	  sequence is followed, but if the final name has no DS, then no
11832	  proof is possible - the signature has been stripped off.
11833
1183420 September 2007: Wouter
11835	- fixup and test for NSEC wildcard with empty nonterminals.
11836	- makedist.sh fixup for svn info.
11837	- acl features request in plan.
11838	- improved DS empty nonterminal handling.
11839	- compat with ANS nxdomain for empty nonterminals. Attempts the nodata
11840	  proof anyway, which succeeds in ANS failure case.
11841	- striplab protection in case it becomes -1.
11842	- plans for static and blacklist config.
11843
1184419 September 2007: Wouter
11845	- comments about non-packed usage.
11846	- plan for overload support in 0.6.
11847	- added testbound tests for a failed resolution from the logs
11848	  and for failed prime when missing glue.
11849	- fixup so useless delegation points are not returned from the
11850	  cache. Also the safety belt is used if priming fails to complete.
11851	- fixup NSEC rdata not to be lowercased, bind compat.
11852
1185318 September 2007: Wouter
11854	- wildcard nsec3 testcases, and fixup to get correct wildcard name.
11855	- validator prints subtype classification for debug.
11856
1185717 September 2007: Wouter
11858	- NSEC3 hash cache unit test.
11859	- validator nsec3 nameerror test.
11860
1186114 September 2007: Wouter
11862	- nsec3 nodata proof, nods proof, wildcard proof.
11863	- nsec3 support for cname chain ending in noerror or nodata.
11864	- validator calls nsec3 proof routines if no NSECs prove anything.
11865	- fixup iterator bug where it stored the answer to a cname under
11866	  the wrong qname into the cache. When prepending the cnames, the
11867	  qname has to be reset to the original qname.
11868
1186913 September 2007: Wouter
11870	- nsec3 find matching and covering, ce proof, prove namerror msg.
11871
1187212 September 2007: Wouter
11873	- fixup of manual page warnings, like for NSD bugreport.
11874	- nsec3 work, config, max iterations, filter, and hash cache.
11875
118766 September 2007: Wouter
11877	- fixup to find libevent on mac port install.
11878	- fixup size_t vs unsigned portability in validator/sigcrypt.
11879	- please compiler on different platforms, for unreachable code.
11880	- val_nsec3 file.
11881	- pthread_rwlock type is optional, in case of old pthread libs.
11882
118835 September 2007: Wouter
11884	- cname, name error validator tests.
11885	- logging of qtype ANY works.
11886	- ANY type answers get RRSIG in answer section of replies (but not
11887	  in other sections, unless DO bit is on).
11888	- testbound can replay a TCP query (set MATCH TCP in the QUERY).
11889	- DS and noDS referral validation test.
11890	- if you configure many trust anchors, parent trust anchors can
11891	  securely deny existence of child trust anchors, if validated.
11892	- not all *.name NSECs are present because a wildcard was matched,
11893	  and *.name NSECs can prove nodata for empty nonterminals.
11894	  Also, for wildcard name NSECs, check they are not from the parent
11895	  zone (for wildcarded zone cuts), and check absence of CNAME bit,
11896	  for a nodata proof.
11897	- configure option for memory allocation debugging.
11898	- port configure option for memory allocation to solaris10.
11899
119004 September 2007: Wouter
11901	- fixup of Leakage warning when serviced queries processed multiple
11902	  callbacks for the same query from the same server.
11903	- testbound removes config file from /tmp on failed exit.
11904	- fixup for referral cleanup of the additional section.
11905	- tests for cname, referral validation.
11906	- neater testbound tpkg output.
11907	- DNAMEs no longer match their apex when synthesized from the cache.
11908	- find correct signer name for DNAME responses.
11909	- wildcarded DNAME test and fixup code to detect.
11910	- prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
11911	  So that wildcarded CNAMEs get their NSEC with them to the answer.
11912	- test for a CNAME to a DNAME to a CNAME to an answer, all from
11913	  different domains, for key fetching and signature checking of
11914	  CNAME'd messages.
11915
119163 September 2007: Wouter
11917	- Fixed error in iterator that would cause assertion failure in
11918	  validator. CNAME to a NXDOMAIN response was collated into a response
11919	  with both a CNAME and the NXDOMAIN rcode. Added a test that the
11920	  rcode is changed to NOERROR (because of the CNAME).
11921	- timeout on tcp does not lead to spurious leakage detect.
11922	- account memory for name of lame zones, so that memory leakages does
11923	  not show lame cache growth as a leakage growth.
11924	- config setting for lameness cache expressed in bytes, instead of
11925	  number of entries.
11926	- tool too summarize allocations per code line.
11927
1192831 August 2007: Wouter
11929	- can read bind trusted-keys { ... }; files, in a compatibility mode.
11930	- iterator should not detach target queries that it still could need.
11931	  the protection against multiple outstanding queries is moved to a
11932	  current_query num check.
11933	- validator nodata, positive, referral tests.
11934	- dname print can print '*' wildcard.
11935
1193630 August 2007: Wouter
11937	- fixup override date config option.
11938	- config options to control memory usage.
11939	- caught bad free of un-alloced data in worker_send error case.
11940	- memory accounting for key cache (trust anchors and temporary cache).
11941	- memory accounting fixup for outside network tcp pending waits.
11942	- memory accounting fixup for outside network tcp callbacks.
11943	- memory accounting for iterator fixed storage.
11944	- key cache size and slabs config options.
11945	- lib crypto cleanups at exit.
11946
1194729 August 2007: Wouter
11948	- test tool to sign rrsets for testing validator with.
11949	- added RSA and DSA test keys, public and private pairs, 512 bits.
11950	- default configuration is with validation enabled.
11951	  Only a trust-anchor needs to be configured for DNSSEC to work.
11952	- do not convert to DER for DSA signature verification.
11953	- validator replay test file, for a DS to DNSKEY DSA key prime and
11954	  positive response.
11955
1195628 August 2007: Wouter
11957	- removed double use for udp buffers, that could fail,
11958	  instead performs a malloc to do the backup.
11959	- validator validates referral messages, by validating all the rrsets
11960	  and stores the rrsets in the cache. Further referral (nonRD queries)
11961	  replies are made from the rrset cache directly. Unless unchecked
11962	  rrsets are encountered, there are then validated.
11963	- enforce that signing is done by a parent domain (or same domain).
11964	- adjust TTL downwards if rrset TTL bigger than signature allows.
11965	- permissive mode feature, sets AD bit for secure, but bogus does
11966	  not give servfail (bogus is changed into indeterminate).
11967	- optimization of rrset verification. rr canonical sorting is reused,
11968	  for the same rrset. canonical rrset image in buffer is reused for
11969	  the same signature.
11970	- if the rrset is too big (64k exactly + large owner name) the
11971	  canonicalization routine will fail if it does not fit in buffer.
11972	- faster verification for large sigsets.
11973	- verb_detail mode reports validation failures, but not the entire
11974	  algorithm for validation. Key prime failures are reported as
11975	  verb_ops level.
11976
1197727 August 2007: Wouter
11978	- do not garble the edns if a cache answer fails.
11979	- answer norecursive from cache if possible.
11980	- honor clean_additional setting when returning secure non-recursive
11981	  referrals.
11982	- do not store referral in msg cache for nonRD queries.
11983	- store verification status in the rrset cache to speed up future
11984	  verification.
11985	- mark rrsets indeterminate and insecure if they are found to be so.
11986	  and store this in the cache.
11987
1198824 August 2007: Wouter
11989	- message is bogus if unsecure authority rrsets are present.
11990	- val-clean-additional option, so you can turn it off.
11991	- move rrset verification out of the specific proof types into one
11992	  routine. This makes the proof routines prettier.
11993	- fixup cname handling in validator, cname-to-positive and cname-to-
11994	  nodata work.
11995	- Do not synthesize DNSKEY and DS responses from the rrset cache if
11996	  the rrset is from the additional section. Signatures may have
11997	  fallen off the packet, and cause validation failure.
11998	- more verbose signature date errors (with the date attached).
11999	- increased default infrastructure cache size. It is important for
12000	  performance, and 1000 entries are only 212k (or a 400 k total cache
12001	  size). To 10000 entries (for 2M entries, 4M cache size).
12002
1200323 August 2007: Wouter
12004	- CNAME handling - move needs_validation to before val_new().
12005	  val_new() setups the chase-reply to be an edited copy of the msg.
12006	  new classification, and find signer can find for it.
12007	  removal of unsigned crap from additional, and query restart for
12008	  cname.
12009	- refuse to follow wildcarded DNAMEs when validating.
12010	  But you can query for qtype ANY, or qtype DNAME and validate that.
12011
1201222 August 2007: Wouter
12013	- bogus TTL.
12014	- review - use val_error().
12015
1201621 August 2007: Wouter
12017	- ANY response validation.
12018	- store security status in cache.
12019	- check cache security status and either send the query to be
12020	  validated, return the query to client, or send servfail to client.
12021	  Sets AD bit on validated replies.
12022	- do not examine security status on an error reply in mesh_done.
12023	- construct DS, DNSKEY messages from rrset cache.
12024	- manual page entry for override-date.
12025
1202620 August 2007: Wouter
12027	- validate and positive validation, positive wildcard NSEC validation.
12028	- nodata validation, nxdomain validation.
12029
1203018 August 2007: Wouter
12031	- process DNSKEY response in FINDKEY state.
12032
1203317 August 2007: Wouter
12034	- work on DS2KE routine.
12035	- val_nsec.c for validator NSEC proofs.
12036	- unit test for NSEC bitmap reading.
12037	- dname iswild and canonical_compare with unit tests.
12038
1203916 August 2007: Wouter
12040	- DS sig unit test.
12041	- latest release libevent 1.3c and 1.3d have threading fixed.
12042	- key entry fixup data pointer and ttl absolute.
12043	- This makes a key-prime succeed in validator, with DS or DNSKEY as
12044	  trust-anchor.
12045	- fixup canonical compare byfield routine, fix bug and also neater.
12046	- fixed iterator response type classification for queries of type
12047	  ANY and NS.
12048	  dig ANY gives sometimes NS rrset in AN and NS section, and parser
12049	  removes the NS section duplicate. dig NS gives sometimes the NS
12050	  in the answer section, as referral.
12051	- validator FINDKEY state.
12052
1205315 August 2007: Wouter
12054	- crypto calls to verify signatures.
12055	- unit test for rrsig verification.
12056
1205714 August 2007: Wouter
12058	- default outgoing ports changed to avoid port 2049 by default.
12059	  This port is widely blocked by firewalls.
12060	- count infra lameness cache in memory size.
12061	- accounting of memory improved
12062	- outbound entries are allocated in the query region they are for.
12063	- extensive debugging for memory allocations.
12064	- --enable-lock-checks can be used to enable lock checking.
12065	- protect undefs in config.h from autoheaders ministrations.
12066	- print all received udp packets. log hex will print on multiple
12067	  lines if needed.
12068	- fixed error in parser with backwards rrsig references.
12069	- mark cycle targets for iterator did not have CD flag so failed
12070	  its task.
12071
1207213 August 2007: Wouter
12073	- fixup makefile, if lexer is missing give nice error and do not
12074	  mess up the dependencies.
12075	- canonical compare routine updated.
12076	- canonical hinfo compare.
12077	- printout list of the queries that the mesh is working on.
12078
1207910 August 2007: Wouter
12080	- malloc and free overrides that track total allocation and frees.
12081	  for memory debugging.
12082	- work on canonical sort.
12083
120849 August 2007: Wouter
12085	- canonicalization, signature checks
12086	- dname signature label count and unit test.
12087	- added debug heap size print to memory printout.
12088	- typo fixup in worker.c
12089	- -R needed on solaris.
12090	- validator override option for date check testing.
12091
120928 August 2007: Wouter
12093	- ldns _raw routines created (in ldns trunk).
12094	- sigcrypt DS digest routines
12095	- val_utils uses sigcrypt to perform signature cryptography.
12096	- sigcrypt keyset processing
12097
120987 August 2007: Wouter
12099	- security status type.
12100	- security status is copied when rdata is equal for rrsets.
12101	- rrset id is updated to invalidate all the message cache entries
12102	  that refer to NSEC, NSEC3, DNAME rrsets that have changed.
12103	- val_util work
12104	- val_sigcrypt file for validator signature checks.
12105
121066 August 2007: Wouter
12107	- key cache for validator.
12108	- moved isroot and dellabel to own dname routines, with unit test.
12109
121103 August 2007: Wouter
12111	- replanning.
12112	- scrubber check section of lame NS set.
12113	- trust anchors can be in config file or read from zone file,
12114	  DS and DNSKEY entries.
12115	- unit test trust anchor storage.
12116	- trust anchors converted to packed rrsets.
12117	- key entry definition.
12118
121192 August 2007: Wouter
12120	- configure change for latest libevent trunk version (needs -lrt).
12121	- query_done and walk_supers are moved out of module interface.
12122	- fixup delegation point duplicates.
12123	- fixup iterator scrubber; lame NS set is let through the scrubber
12124	  so that the classification is lame.
12125	- validator module exists, and does nothing but pass through,
12126	  with calling of next module and return.
12127	- validator work.
12128
121291 August 2007: Wouter
12130	- set version to 0.5
12131	- module work for module to module interconnections.
12132	- config of modules.
12133	- detect cycle takes flags.
12134
1213531 July 2007: Wouter
12136	- updated plan
12137	- release 0.4 tag.
12138
1213930 July 2007: Wouter
12140	- changed random state init, so that sequential process IDs are not
12141	  cancelled out by sequential thread-ids in the random number seed.
12142	- the fwd_three test, which sends three queries to unbound, and
12143	  unbound is kept waiting by ldns-testns for 3 seconds, failed
12144	  because the retry timeout for default by unbound is 3 seconds too,
12145	  it would hit that timeout and fail the test. Changed so that unbound
12146	  is kept waiting for 2 seconds instead.
12147
1214827 July 2007: Wouter
12149	- removed useless -C debug option. It did not work.
12150	- text edit of documentation.
12151	- added doc/CREDITS file, referred to by the manpages.
12152	- updated planning.
12153
1215426 July 2007: Wouter
12155	- cycle detection, for query state dependencies. Will attempt to
12156	  circumvent the cycle, but if no other targets available fails.
12157	- unit test for AXFR, IXFR response.
12158	- test for cycle detection.
12159
1216025 July 2007: Wouter
12161	- testbound read ADDRESS and check it.
12162	- test for version.bind and friends.
12163	- test for iterator chaining through several referrals.
12164	- test and fixup for refetch for glue. Refetch fails if glue
12165	  is still not provided.
12166
1216724 July 2007: Wouter
12168	- Example section in config manual.
12169	- Addr stored for range and moment in replay.
12170
1217120 July 2007: Wouter
12172	- Check CNAME chain before returning cache entry with CNAMEs.
12173	- Option harden-glue, default is on. It will discard out of zone
12174	  data. If disabled, performance is faster, but spoofing attempts
12175	  become a possibility. Note that still normalize scrubbing is done,
12176	  and that the potentially spoofed data is used for infrastructure
12177	  and not returned to the client.
12178	- if glue times out, refetch by asking parent of delegation again.
12179	  Much like asking for DS at the parent side.
12180	- TODO items from forgery-resilience draft.
12181	  and on memory handling improvements.
12182	- renamed module_event_timeout to module_event_noreply.
12183	- memory reporting code; reports on memory usage after handling
12184	  a network packet (not on cache replies).
12185
1218619 July 2007: Wouter
12187	- shuffle NS selection when getting nameserver target addresses.
12188	- fixup of deadlock warnings, yield cpu in checklock code so that
12189	  freebsd scheduler selects correct process to run.
12190	- added identity and version config options and replies.
12191	- store cname messages complete answers.
12192
1219318 July 2007: Wouter
12194	- do not query addresses, 127.0.0.1, and ::1 by default.
12195
1219617 July 2007: Wouter
12197	- forward zone options in config file.
12198	- forward per zone in iterator. takes precedence over stubs.
12199	- fixup commithooks.
12200	- removed forward-to and forward-to-port features, subsumed by
12201	  new forward zones.
12202	- fix parser to handle absent server: clause.
12203	- change untrusted rrset test to account for scrubber that is now
12204	  applied during the test (which removes the poison, by the way).
12205	- feature, addresses can be specified with @portnumber, like nsd.conf.
12206	- test config files changed over to new forwarder syntax.
12207
1220827 June 2007: Wouter
12209	- delete of mesh does a postorder traverse of the tree.
12210	- found and fixed a memory leak. For TTL=0 messages, that would
12211	  not be cached, instead the msg-replyinfo structure was leaked.
12212	- changed server selection so it will filter out hosts that are
12213	  unresponsive. This is defined as a host with the maximum rto value.
12214	  This means that unbound tried the host for retries up to 120 secs.
12215	  The rto value will time out after host-ttl seconds from the cache.
12216	  This keeps such unresolvable queries from taking up resources.
12217	- utility for keeping histogram.
12218
1221926 June 2007: Wouter
12220	- mesh is called by worker, and iterator uses it.
12221	  This removes the hierarchical code.
12222	  QueryTargets state and Finished state are merged for iterator.
12223	- forwarder mode no longer sets AA bit on first reply.
12224	- rcode in walk_supers is not needed.
12225
1222625 June 2007: Wouter
12227	- more mesh work.
12228	- error encode routine for ease.
12229
1223022 June 2007: Wouter
12231	- removed unused _node iterator value from rbtree_t. Takes up space.
12232	- iterator can handle querytargets state without a delegation point
12233	  set, so that a priming(stub) subquery error can be handled.
12234	- iterator stores if it is priming or not.
12235	- log_query_info() neater logging.
12236	- changed iterator so that it does not alter module_qstate.qinfo
12237	  but keeps a chase query info. Also query_flags are not altered,
12238	  the iterator uses chase_flags.
12239	- fixup crash in case no ports for the family exist.
12240
1224121 June 2007: Wouter
12242	- Fixup secondary buffer in case of error callback.
12243	- cleanup slumber list of runnable states.
12244	- module_subreq_depth fails to work in slumber list.
12245	- fixup query release for cached results to sub targets.
12246	- neater error for tcp connection failure, shows addr in verbose.
12247	- rbtree_init so that it can be used with preallocated memory.
12248
1224920 June 2007: Wouter
12250	- new -C option to enable coredumps after forking away.
12251	- doc update.
12252	- fixup CNAME generation by scrubber, and memory allocation of it.
12253	- fixup deletion of serviced queries when all callbacks delete too.
12254	- set num target queries to 0 when you move them to slumber list.
12255	- typo in check caused subquery errors to be ignored, fixed.
12256	- make lint happy about rlim_t.
12257	- freeup of modules after freeup of module-states.
12258	- duplicate replies work, this uses secondary udp buffer in outnet.
12259
1226019 June 2007: Wouter
12261	- nicer layout in stats.c, review 0.3 change.
12262	- spelling improvement, review 0.3 change.
12263	- uncapped timeout for server selection, so that very fast or slow
12264	  servers will stand out from the rest.
12265	- target-fetch-policy: "3 2 1 0 0" config setting.
12266	- fixup queries answered without RD bit (for root prime results).
12267	- refuse AXFR and IXFR requests.
12268	- fixup RD flag in error reply from iterator. fixup RA flag from
12269	  worker error reply.
12270	- fixup encoding of very short edns buffer sizes, now sets TC bit.
12271	- config options harden-short-bufsize and harden-large-queries.
12272
1227318 June 2007: Wouter
12274	- same, move subqueries to slumber list when first has resolved.
12275	- fixup last fix for duplicate callbacks.
12276	- another offbyone in targetcounter. Also in Java prototype by the way.
12277
1227815 June 2007: Wouter
12279	- if a query asks to be notified of the same serviced query result
12280	  multiple times, this will succeed. Only one callback will happen;
12281	  multiple outbound-list entries result (but the double cleanup of it
12282	  will not matter).
12283	- when iterator moves on due to CNAME or referral, it will remove
12284	  the subqueries (for other targets). These are put on the slumber
12285	  list.
12286	- state module wait subq is OK with no new subqs, an old one may have
12287	  stopped, with an error, and it is still waiting for other ones.
12288	- if a query loops, halt entire query (easy way to clean up properly).
12289
1229014 June 2007: Wouter
12291	- num query targets was > 0 , not >= 0 compared, so that fetch
12292	  policy of 0 did nothing.
12293
1229413 June 2007: Wouter
12295	- debug option: configure --enable-static-exe for compile where
12296	  ldns and libevent are linked statically. Default is off.
12297	- make install and make uninstall. Works with static-exe and without.
12298	  installation of unbound binary and manual pages.
12299	- alignment problem fix on solaris 64.
12300	- fixup address in case of TCP error.
12301
1230212 June 2007: Wouter
12303	- num target queries was set to 0 at a bad time. Default it to 0 and
12304	  increase as target queries are done.
12305	- synthesize CNAME and DNAME responses from the cache.
12306	- Updated doxygen config for doxygen 1.5.
12307	- aclocal newer version.
12308	- doxygen 1.5 fixes for comments (for the strict check on docs).
12309
1231011 June 2007: Wouter
12311	- replies on TCP queries have the address field set in replyinfo,
12312	  for serviced queries, because the initiator does not know that
12313	  a TCP fallback has occurred.
12314	- omit DNSSEC types from nonDO replies, except if qtype is ANY or
12315	  if qtype directly queries for the type (and then only show that
12316	  'unknown type' in the answer section).
12317	- fixed message parsing where rrsigs on their own would be put
12318	  in the signature list over the rrsig type.
12319
123207 June 2007: Wouter
12321	- fixup error in double linked list insertion for subqueries and
12322	  for outbound list of serviced queries for iterator module.
12323	- nicer printout of outgoing port selection.
12324	- fixup cname target readout.
12325	- nicer debug output.
12326	- fixup rrset counts when prepending CNAMEs to the answer.
12327	- fixup rrset TTL for prepended CNAMEs.
12328	- process better check for looping modules, and which submodule to
12329	  run next.
12330	- subreq insertion code fixup for slumber list.
12331	- VERB_DETAIL, verbosity: 2 level gives short but readable output.
12332	  VERB_ALGO, verbosity: 3 gives extensive output.
12333	- fixup RA bit in cached replies.
12334	- fixup CNAME responses from the cache no longer partial response.
12335	- error in network send handled without leakage.
12336	- enable ip6 from config, and try ip6 addresses if available,
12337	  if ip6 is not connected, skips to next server.
12338
123395 June 2007: Wouter
12340	- iterator state finished.
12341	- subrequests without parent store in cache and stop.
12342	- worker slumber list for ongoing promiscuous queries.
12343	- subrequest error handling.
12344	- priming failure returns SERVFAIL.
12345	- priming gives LAME result, returns SERVFAIL.
12346	- debug routine to print dns_msg as handled by iterator.
12347	- memleak in config file stubs fixup.
12348	- more small bugs, in scrubber, query compare no ID for lookup,
12349	  in dname validation for NS targets.
12350	- sets entry.key for new special allocs.
12351	- lognametypeclass can display unknown types and classes.
12352
123534 June 2007: Wouter
12354	- random selection of equally preferred nameserver targets.
12355	- reply info copy routine. Reuses existing code.
12356	- cache lameness in response handling.
12357	- do not touch qstate after worker_process_query because it may have
12358	  been deleted by that routine.
12359	- Prime response state.
12360	- Process target response state.
12361	- some memcmp changed to dname_compare for case preservation.
12362
123631 June 2007: Wouter
12364	- normalize incoming messages. Like unbound-java, with CNAME chain
12365	  checked, DNAME checked, CNAME's synthesized, glue checked.
12366	- sanitize incoming messages.
12367	- split msgreply encode functions into own file msgencode.c.
12368	- msg_parse to queryinfo/replyinfo conversion more versatile.
12369	- process_response, classify response, delegpt_from_message.
12370
1237131 May 2007: Wouter
12372	- querytargets state.
12373	- dname_subdomain_c() routine.
12374	- server selection, based on RTT. ip6 is filtered out if not available,
12375	  and lameness is checked too.
12376	- delegation point copy routine.
12377
1237830 May 2007: Wouter
12379	- removed FLAG_CD from message and rrset caches. This was useful for
12380	  an agnostic forwarder, but not for a sophisticated (trust value per
12381	  rrset enabled) cache.
12382	- iterator response typing.
12383	- iterator cname handle.
12384	- iterator prime start.
12385	- subquery work.
12386	- processInitRequest and processInitRequest2.
12387	- cache synthesizes referral messages, with DS and NSEC.
12388	- processInitRequest3.
12389	- if a request creates multiple subrequests these are all activated.
12390
1239129 May 2007: Wouter
12392	- routines to lock and unlock array of rrsets moved to cache/rrset.
12393	- lookup message from msg cache (and copy to region).
12394	- fixed cast error in dns msg lookup.
12395	- message with duplicate rrset does not increase its TTLs twice.
12396	- 'qnamesize' changed to 'qname_len' for similar naming scheme.
12397
1239825 May 2007: Wouter
12399	- Acknowledge use of unbound-java code in iterator. Nicer readme.
12400	- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
12401	  rrset cache from module environment.
12402	- packed rrset key has type and class as easily accessible struct
12403	  members. They are still kept in network format for fast msg encode.
12404	- dns cache find_delegation routine.
12405	- iterator main functions setup.
12406	- dns cache lookup setup.
12407
1240824 May 2007: Wouter
12409	- small changes to prepare for subqueries.
12410	- iterator forwarder feature separated out.
12411	- iterator hints stub code, config file stub code, so that first
12412	  testing can proceed locally.
12413	- replay tests now have config option to enable forwarding mode.
12414
1241523 May 2007: Wouter
12416	- outside network does precise timers for roundtrip estimates for rtt
12417	  and for setting timeout for UDP. Pending_udp takes milliseconds.
12418	- cleaner iterator sockaddr conversion of forwarder address.
12419	- iterator/iter_utils and iter_delegpt setup.
12420	- root hints.
12421
1242222 May 2007: Wouter
12423	- outbound query list for modules and support to callback with the
12424	  outbound entry to the module.
12425	- testbound support for new serviced queries.
12426	- test for retry to TCP cannot use testbound any longer.
12427	- testns test for EDNS fallback, test for TCP fallback already exists.
12428	- fixes for no-locking compile.
12429	- mini_event timer precision and fix for change in timeouts during
12430	  timeout callback. Fix for fwd_three tests, performed nonexit query.
12431
1243221 May 2007: Wouter
12433	- small comment on hash table locking.
12434	- outside network serviced queries, contain edns and tcp fallback,
12435	  and udp retries and rtt timing.
12436
1243716 May 2007: Wouter
12438	- lruhash_touch() would cause locking order problems. Fixup in
12439	  lock-verify in case locking cycle is found.
12440	- services/cache/rrset.c for rrset cache code.
12441	- special rrset_cache LRU updating function that uses the rrset id.
12442	- no dependencies calculation when make clean is called.
12443	- config settings for infra cache.
12444	- daemon code slightly cleaner, only creates caches once.
12445
1244615 May 2007: Wouter
12447	- host cache code.
12448	- unit test for host cache.
12449
1245014 May 2007: Wouter
12451	- Port to OS/X and Dec Alpha. Printf format and alignment fixes.
12452	- extensive lock debug report on join timeout.
12453	- proper RTT calculation, in utility code.
12454	- setup of services/cache/infra, host cache.
12455
1245611 May 2007: Wouter
12457	- iterator/iterator.c module.
12458	- fixup to pass reply_info in testcode and in netevent.
12459
1246010 May 2007: Wouter
12461	- created release-0.3 svn tag.
12462	- util/module.h
12463	- fixed compression - no longer compresses root name.
12464
124659 May 2007: Wouter
12466	- outside network cleans up waiting tcp queries on exit.
12467	- fallback to TCP.
12468	- testbound replay with retry in TCP mode.
12469	- tpkg test for retry in TCP mode, against ldns-testns server.
12470	- daemon checks max number of open files and complains if not enough.
12471	- test where data expires in the cache.
12472	- compiletests: fixed empty body ifstatements in alloc.c, in case
12473	  locks are disabled.
12474
124758 May 2007: Wouter
12476	- outgoing network keeps list of available tcp buffers for outgoing
12477	  tcp queries.
12478	- outgoing-num-tcp config option.
12479	- outgoing network keeps waiting list of queries waiting for buffer.
12480	- netevent supports outgoing tcp commpoints, nonblocking connects.
12481
124827 May 2007: Wouter
12483	- EDNS read from query, used to make reply smaller.
12484	- advertised edns value constants.
12485	- EDNS BADVERS response, if asked for too high edns version.
12486	- EDNS extended error responses once the EDNS record from the query
12487	  has successfully been parsed.
12488
124894 May 2007: Wouter
12490	- msgreply sizefunc is more accurate.
12491	- config settings for rrset cache size and slabs.
12492	- hashtable insert takes argument so that a thread can use its own
12493	  alloc cache to store released keys.
12494	- alloc cache special_release() locks if necessary.
12495	- rrset trustworthiness type added.
12496	- thread keeps a scratchpad region for handling messages.
12497	- writev used in netevent to write tcp length and data after another.
12498	  This saves a roundtrip on tcp replies.
12499	- test for one rrset updated in the cache.
12500	- test for one rrset which is not updated, as it is not deemed
12501	  trustworthy enough.
12502	- test for TTL refreshed in rrset.
12503
125043 May 2007: Wouter
12505	- fill refs. Use new parse and encode to answer queries.
12506	- stores rrsets in cache.
12507	- uses new msgreply format in cache.
12508
125092 May 2007: Wouter
12510	- dname unit tests in own file and spread out neatly in functions.
12511	- more dname unit tests.
12512	- message encoding creates truncated TC flagged messages if they do
12513	  not fit, and will leave out (whole)rrsets from additional if needed.
12514
125151 May 2007: Wouter
12516	- decompress query section, extremely lenient acceptance.
12517	  But only for answers from other servers, not for plain queries.
12518	- compression and decompression test cases.
12519	- some stats added.
12520	- example.conf interface: line is changed from 127.0.0.1 which leads
12521	  to problems if used (restricting communication to the localhost),
12522	  to a documentation and test address.
12523
1252427 April 2007: Wouter
12525	- removed iov usage, it is not good for dns message encoding.
12526	- owner name compression more optimal.
12527	- rrsig owner name compression.
12528	- rdata domain name compression.
12529
1253026 April 2007: Wouter
12531	- floating point exception fix in lock-verify.
12532	- lint uses make dependency
12533	- fixup lint in dname owner domain name compression code.
12534	- define for offset range that can be compressed to.
12535
1253625 April 2007: Wouter
12537	- prettier code; parse_rrset->type kept in host byte order.
12538	- datatype used for hashvalue of converted rrsig structure.
12539	- unit test compares edns section data too.
12540
1254124 April 2007: Wouter
12542	- ttl per RR, for RRSIG rrsets and others.
12543	- dname_print debug function.
12544	- if type is not known, size calc will skip DNAME decompression.
12545	- RRSIG parsing and storing and putting in messages.
12546	- dnssec enabled unit tests (from nlnetlabs.nl and se queries).
12547	- EDNS extraction routine.
12548
1254920 April 2007: Wouter
12550	- code comes through all of the unit tests now.
12551	- disabled warning about spurious extra data.
12552	- documented the RRSIG parse plan in msgparse.h.
12553	- rrsig reading and outputting.
12554
1255519 April 2007: Wouter
12556	- fix unit test to actually to tests.
12557	- fix write iov helper, and fakevent code.
12558	- extra builtin testcase (small packet).
12559	- ttl converted to network format in packets.
12560	- flags converted correctly
12561	- rdatalen off by 2 error fixup.
12562	- uses less iov space for header.
12563
1256418 April 2007: Wouter
12565	- review of msgparse code.
12566	- smaller test cases.
12567
1256817 April 2007: Wouter
12569	- copy and decompress dnames.
12570	- store calculated hash value too.
12571	- routine to create message out of stored information.
12572	- util/data/msgparse.c for message parsing code.
12573	- unit test, and first fixes because of test.
12574		* forgot rrset_count addition.
12575		* did & of ptr on stack for memory position calculation.
12576		* dname_pkt_copy forgot to read next label length.
12577	- test from file and fixes
12578		* double frees fixed in error conditions.
12579		* types with less than full rdata allowed by parser.
12580		  Some dynamic update packets seem to use it.
12581
1258216 April 2007: Wouter
12583	- following a small change in LDNS, parsing code calculates the
12584	  memory size to allocate for rrs.
12585	- code to handle ID creation.
12586
1258713 April 2007: Wouter
12588	- parse routines. Code that parses rrsets, rrs.
12589
1259012 April 2007: Wouter
12591	- dname compare routine that preserves case, with unit tests.
12592
1259311 April 2007: Wouter
12594	- parse work - dname packet parse, msgparse, querysection parse,
12595	  start of sectionparse.
12596
1259710 April 2007: Wouter
12598	- Improved alignment of reply_info packet, nice for 32 and 64 bit.
12599	- Put RRset counts in reply_info, because the number of RRs can change
12600	  due to RRset updates.
12601	- import of region-allocator code from nsd.
12602	- set alloc special type to ub_packed_rrset_key.
12603	  Uses lruhash entry overflow chain next pointer in alloc cache.
12604	- doxygen documentation for region-allocator.
12605	- setup for parse scratch data.
12606
126075 April 2007: Wouter
12608	- discussed packed rrset with Jelte.
12609
126104 April 2007: Wouter
12611	- moved to version 0.3.
12612	- added util/data/dname.c
12613	- layout of memory for rrsets.
12614
126153 April 2007: Wouter
12616	- detect sign of msghdr.msg_iovlen so that the cast to that type
12617	  in netevent (which is there to please lint) can be correct.
12618	  The type on several OSes ranges from int, int32, uint32, size_t.
12619	  Detects unsigned or signed using math trick.
12620	- constants for DNS flags.
12621	- compilation without locks fixup.
12622	- removed include of unportable header from lookup3.c.
12623	- more portable use of struct msghdr.
12624	- casts for printf warning portability.
12625	- tweaks to tests to port them to the testbed.
12626	- 0.2 tag created.
12627
126282 April 2007: Wouter
12629	- check sizes of udp received messages, not too short.
12630	- review changes. Some memmoves can be memcpys: 4byte aligned.
12631	  set id correctly on cached answers.
12632	- review changes msgreply.c, memleak on error condition. AA flag
12633	  clear on cached reply. Lowercase queries on hashing.
12634	  unit test on lowercasing. Test AA bit not set on cached reply.
12635	  Note that no TTLs are managed.
12636
1263729 March 2007: Wouter
12638	- writev or sendmsg used when answering from cache.
12639	  This avoids a copy of the data.
12640	- do not do useless byteswap on query id. Store reply flags in uint16
12641	  for easier access (and no repeated byteswapping).
12642	- reviewed code.
12643	- configure detects and config.h includes sys/uio.h for writev decl.
12644
1264528 March 2007: Wouter
12646	- new config option: num-queries-per-thread.
12647	- added tpkg test for answering three queries at the same time
12648	  using one thread (from the query service list).
12649
1265027 March 2007: Wouter
12651	- added test for cache and not cached answers, in testbound replays.
12652	- testbound can give config file and commandline options from the
12653	  replay file to unbound.
12654	- created test that checks if items drop out of the cache.
12655	- added word 'partitioned hash table' to documentation on slab hash.
12656	  A slab hash is a partitioned hash table.
12657	- worker can handle multiple queries at a time.
12658
1265926 March 2007: Wouter
12660	- config settings for slab hash message cache.
12661	- test for cached answer.
12662	- Fixup deleting fake answer from testbound list.
12663
1266423 March 2007: Wouter
12665	- review of yesterday's commits.
12666	- covered up memory leak of the entry locks.
12667	- answers from the cache correctly. Copies flags correctly.
12668	- sanity check for incoming query replies.
12669	- slabbed hash table. Much nicer contention, need dual cpu to see.
12670
1267122 March 2007: Wouter
12672	- AIX configure check.
12673	- lock-verify can handle references to locks that are created
12674	  in files it has not yet read in.
12675	- threaded hash table test.
12676	- unit test runs lock-verify afterwards and checks result.
12677	- need writelock to update data on hash_insert.
12678	- message cache code, msgreply code.
12679
1268021 March 2007: Wouter
12681	- unit test of hash table, fixup locking problem in table_grow().
12682	- fixup accounting of sizes for removing items from hashtable.
12683	- unit test for hash table, single threaded test of integrity.
12684	- lock-verify reports errors nicely. More quiet in operation.
12685
1268616 March 2007: Wouter
12687	- lock-verifier, checks consistent order of locking.
12688
1268914 March 2007: Wouter
12690	- hash table insert (and subroutines) and lookup implemented.
12691	- hash table remove.
12692	- unit tests for hash internal bin, lru functions.
12693
1269413 March 2007: Wouter
12695	- lock_unprotect in checklocks.
12696	- util/storage/lruhash.h for LRU hash table structure.
12697
1269812 March 2007: Wouter
12699	- configure.ac moved to 0.2.
12700	- query_info and replymsg util/data structure.
12701
127029 March 2007: Wouter
12703	- added rwlock writelock checking.
12704	  So it will keep track of the writelock, and readlocks are enforced
12705	  to not change protected memory areas.
12706	- log_hex function to dump hex strings to the logfile.
12707	- checklocks zeroes its destroyed lock after checking memory areas.
12708	- unit test for alloc.
12709	- identifier for union in checklocks to please older compilers.
12710	- created 0.1 tag.
12711
127128 March 2007: Wouter
12713	- Reviewed checklock code.
12714
127157 March 2007: Wouter
12716	- created a wrapper around thread calls that performs some basic
12717	  checking for data race and deadlock, and basic performance
12718	  contention measurement.
12719
127206 March 2007: Wouter
12721	- Testbed works with threading (different machines, different options).
12722	- alloc work, does the special type.
12723
127242 March 2007: Wouter
12725	- do not compile fork funcs unless needed. Otherwise will give
12726	  type errors as their typedefs have not been enabled.
12727	- log shows thread numbers much more nicely (and portably).
12728	- even on systems with nonthreadsafe libevent signal handling,
12729	  unbound will exit if given a signal.
12730	  Reloads will not work, and exit is not graceful.
12731	- start of alloc framework layout.
12732
127331 March 2007: Wouter
12734	- Signals, libevent and threads work well, with libevent patch and
12735	  changes to code (close after event_del).
12736	- set ipc pipes nonblocking.
12737
1273827 February 2007: Wouter
12739	- ub_thread_join portable definition.
12740	- forking is used if no threading is available.
12741	  Tested, it works, since pipes work across processes as well.
12742	  Thread_join is replaced with waitpid.
12743	- During reloads the daemon will temporarily handle signals,
12744	  so that they do not result in problems.
12745	- Also randomize the outgoing port range for tests.
12746	- If query list is full, will stop selecting listening ports for read.
12747	  This makes all threads service incoming requests, instead of one.
12748	  No memory is leaking during reloads, service of queries, etc.
12749	- test that uses ldns-testns -f to test threading. Have to answer
12750	  three queries at the same time.
12751	- with verbose=0 operates quietly.
12752
1275326 February 2007: Wouter
12754	- ub_random code used to select ID and port.
12755	- log code prints thread id.
12756	- unbound can thread itself, with reload(HUP) and quit working
12757	  correctly.
12758	- don't open pipes for #0, doesn't need it.
12759	- listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
12760
1276123 February 2007: Wouter
12762	- Can do reloads on sigHUP. Everything is stopped, and freed,
12763	  except the listening ports. Then the config file is reread.
12764	  And everything is started again (and listening ports if needed).
12765	- Ports for queries are shared.
12766	- config file added interface:, chroot: and username:.
12767	- config file: directory, logfile, pidfile. And they work too.
12768	- will daemonize by default now. Use -d to stay in the foreground.
12769	- got BSD random[256 state] code, made it threadsafe. util/random.
12770
1277122 February 2007: Wouter
12772	- Have a config file. Removed commandline options, moved to config.
12773	- tests use config file.
12774
1277521 February 2007: Wouter
12776	- put -c option in man page.
12777	- minievent fd array capped by FD_SETSIZE.
12778
1277920 February 2007: Wouter
12780	- Added locks code and pthread spinlock detection.
12781	- can use no locks, or solaris native thread library.
12782	- added yacc and lex configure, and config file parsing code.
12783	  also makedist.sh, and manpage.
12784	- put include errno.h in config.h
12785
1278619 February 2007: Wouter
12787	- Created 0.0 svn tag.
12788	- added acx_pthread.m4 autoconf check for pthreads from
12789	  the autoconf archive. It is GPL-with-autoconf-exception Licensed.
12790	  You can specify --with-pthreads, or --without-pthreads to configure.
12791
1279216 February 2007: Wouter
12793	- Updated testbed script, works better by using make on remote end.
12794	- removed check decls, we can compile without them.
12795	- makefile supports LIBOBJ replacements.
12796	- docs checks ignore compat code.
12797	- added util/mini-event.c and .h, a select based alternative used with
12798	  ./configure --with-libevent=no
12799	  It is limited to 1024 file descriptors, and has less features.
12800	- will not create ip6 sockets if ip6 not on the machine.
12801
1280215 February 2007: Wouter
12803	- port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
12804	  Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
12805	- malloc rndstate, so that it is aligned for access.
12806	- fixed rbtree cleanup with postorder traverse.
12807	- fixed pending messages are deleted when handled.
12808	- You can control verbosity; default is not verbose, every -v
12809	  adds more verbosity.
12810
1281114 February 2007: Wouter
12812	- Included configure.ac changes from ldns.
12813	- detect (some) headers before the standards check.
12814	- do not use isblank to test c99, since its not available on solaris9.
12815	- review of testcode.
12816		* entries in a RANGE are no longer reversed.
12817		* print name of file with replay entry parse errors.
12818	- port to OSX: cast to int for some prints of sizet.
12819	- Makefile copies ldnstestpkts.c before doing dependencies on it.
12820
1282113 February 2007: Wouter
12822	- work on fake events, first fwd replay works.
12823	- events can do timeouts and errors on queries to servers.
12824	- test package that runs replay scenarios.
12825
1282612 February 2007: Wouter
12827	- work on fake events.
12828
128299 February 2007: Wouter
12830	- replay file reading.
12831	- fake event setup, it creates fake structures, and teardowns,
12832	  added signal callbacks to reply to be able to fake those,
12833	  and main structure of event replay routines.
12834
128358 February 2007: Wouter
12836	- added tcp test.
12837	- replay storage.
12838	- testcode/fake_event work.
12839
128407 February 2007: Wouter
12841	- return answer with the same ID as query was sent with.
12842	- created udp forwarder test. I've done some effort to make it perform
12843	  quickly. After servers are created, no big sleep statements but
12844	  it checks the logfiles to see if servers have come up. Takes 0.14s.
12845	- set addrlen value when calling recvfrom.
12846	- comparison of addrs more portable.
12847	- LIBEVENT option for testbed to set libevent directory.
12848	- work on tcp input.
12849
128506 February 2007: Wouter
12851	- reviewed code and improved in places.
12852
128535 February 2007: Wouter
12854	- Picked up stdc99 and other define tests from ldns. Improved
12855	  POSIX define test to include getaddrinfo.
12856	- defined constants for netevent callback error code.
12857	- unit test for strisip6.
12858
128592 February 2007: Wouter
12860	- Created udp4 and udp6 port arrays to provide service for both
12861	  address families.
12862	- uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
12863	- listens on both ip4 and ip6 ports to provide correct return address.
12864	- worker fwder address filled correctly.
12865	- fixup timer code.
12866	- forwards udp queries and sends answer.
12867
128681 February 2007: Wouter
12869	- outside network more UDP work.
12870	- moved * closer to type.
12871	- comm_timer object and events.
12872
1287331 January 2007: Wouter
12874	- Added makedist.sh script to make release tarball.
12875	- Removed listen callback layer, did not add anything.
12876	- Added UDP recv to netevent, worker callback for udp.
12877	- netevent communication reply storage structure.
12878	- minimal query header sanity checking for worker.
12879	- copied over rbtree implementation from NSD (BSD licensed too).
12880	- outgoing network query service work.
12881
1288230 January 2007: Wouter
12883	- links in example/ldns-testpkts.c and .h for premade packet support.
12884	- added callback argument to listen_dnsport and daemon/worker.
12885
1288629 January 2007: Wouter
12887	- unbound.8 a short manpage.
12888
1288926 January 2007: Wouter
12890	- fixed memleak.
12891	- make lint works on BSD and Linux (openssl defines).
12892	- make tags works.
12893	- testbound program start.
12894
1289525 January 2007: Wouter
12896	- fixed lint so it may work on BSD.
12897	- put license into header of every file.
12898	- created verbosity flag.
12899	- fixed libevent configure flag.
12900	- detects event_base_free() in new libevent 1.2 version.
12901	- getopt in daemon. fatal_exit() and verbose() logging funcs.
12902	- created log_assert, that throws assertions to the logfile.
12903	- listen_dnsport service. Binds ports.
12904
1290524  January 2007: Wouter
12906	- cleaned up configure.ac.
12907
1290823  January 2007: Wouter
12909	- added libevent to configure to link with.
12910	- util/netevent setup work.
12911	- configure searches for libevent.
12912	- search for libs at end of configure (when other headers and types
12913	  have been found).
12914	- doxygen works with ATTR_UNUSED().
12915	- util/netevent implementation.
12916
1291722  January 2007: Wouter
12918	- Designed header file for network communication.
12919
1292016  January 2007: Wouter
12921	- added readme.svn and readme.tests.
12922
129234 January 2007: Wouter
12924	- Testbed script (run on multiple platforms the test set).
12925	  Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
12926	- added unit test tpkg.
12927
129283 January 2007: Wouter
12929	- committed first set of files into subversion repository.
12930	  svn co svn+ssh://unbound.net/svn/unbound
12931	  You need a ssh login.  There is no https access yet.
12932	- Added LICENSE, the BSD license.
12933	- Added doc/README with compile help.
12934	- main program stub and quiet makefile.
12935	- minimal logging service (to stderr).
12936	- added postcommit hook that serves emails.
12937	- added first test 00-lint. postcommit also checks if build succeeds.
12938	- 01-doc: doxygen doc target added for html docs. And stringent test
12939	  on documented files, functions and parameters.
12940
1294115 December 2006: Wouter
12942	- Created Makefile.in and configure.ac.
12943